| Category | Attack | Main Idea |
|---|---|---|
| Gradient-based | FGSM (Goodfellow et al., 2015) | Add a small perturbation in the direction of gradient |
| I-FGSM (Kurakin et al., 2015) | Iterative version of FGSM | |
| MI-FGSM (Dong et al., 2018) | Integrate the momentum term into the I-FGSM | |
| NI-FGSM (Lin et al., 2020) | Integrate the Nesterov's accelerated gradient into I-FGSM | |
| PI-FGSM (Gao et al., 2020) | Reuse the cut noise and apply a heuristic project strategy to generate patch-wise noise | |
| VMI-FGSM (Wang et al., 2021) | Variance tuning MI-FGSM | |
| VNI-FGSM (Wang et al., 2021) | Variance tuning NI-FGSM | |
| EMI-FGSM (Wang et al., 2021) | Accumulate the gradients of several data points linearly sampled in the direction of previous gradient | |
| AI-FGTM (Zou et al., 2022) | Adopt Adam to adjust the step size and momentum using the tanh function | |
| I-FGS²M (Zhang et al., 2021) | Assigning staircase weights to each interval of the gradient | |
| SMI-FGRM (Han et al., 2023) | Substitute the sign function with data rescaling and use the depth first sampling technique to stabilize the update direction. | |
| VA-I-FGSM (Zhang et al., 2022) | Adopt a larger step size and auxiliary gradients from other categories | |
| RAP (Qin et al., 2022) | Inject the worst-case perturbation when calculating the gradient. | |
| PC-I-FGSM (Wan et al., 2023) | Gradient Prediction-Correction on MI-FGSM | |
| IE-FGSM (Peng et al., 2023) | Integrate anticipatory data point to stabilize the update direction. | |
| GRA (Zhu et al., 2023) | Correct the gradient using the average gradient of several data points sampled in the neighborhood and adjust the update gradient with a decay indicator | |
| GNP (Wu et al., 2023) | Introduce a gradient norm penalty (GNP) term into the loss function | |
| MIG (Ma et al., 2023) | Utilize integrated gradient to steer the generation of adversarial perturbations | |
| DTA (Yang et al., 2023) | Calculate the gradient on several examples using small stepsize | |
| PGN (Ge et al., 2023) | Penalizing gradient norm on the original loss function | |
| NCS (Qiu et al., 2024) | Construct a max-min bi-level optimization problem aimed at finding flat adversarial regions | |
| ANDA (Fang et al., 2024) | Explicitly characterize adversarial perturbations from a learned distribution by taking advantage of the asymptotic normality property of stochastic gradient ascent. | |
| GI-FGSM (Wang et al., 2024) | Use global momentum initialization to better stablize update direction. | |
| Input transformation-based | DIM (Xie et al., 2019) | Random resize and add padding to the input sample |
| TIM (Dong et al., 2019) | Adopt a Gaussian kernel to smooth the gradient before updating the perturbation | |
| SIM (Ling et al., 2020) | Calculate the average gradient of several scaled images | |
| DEM (Zou et al., 2020) | Calculate the average gradient of several DIM's transformed images | |
| Admix (Wang et al., 2021) | Mix up the images from other categories | |
| ATTA (Wu et al., 2021) | Train an adversarial transformation network to perform the input-transformation | |
| MaskBlock (Fan et al., 2022) | Calculate the average gradients of multiple randomly block-level masked images. | |
| SSM (Long et al., 2022) | Randomly scale images and add noise in the frequency domain | |
| AITL (Yuan et al., 2022) | Select the most effective combination of image transformations specific to the input image. | |
| PAM (Zhang et al., 2023) | Mix adversarial examples with base images, where ratios are genreated by a trianed semantic predictor, for gradient accumulation. | |
| LPM (Wei et al., 2023) | Boosting Adversarial Transferability with Learnable Patch-wise Masks | |
| SIA (Wang et al., 2023) | Split the image into blocks and apply various transformations to each block | |
| STM (Ge et al., 2023) | Transform the image using a style transfer network | |
| USMM (Wang et al., 2023) | Apply uniform scale and a mix mask from an image of a different category to the input image | |
| DeCowA (Lin et al., 2024) | Augments input examples via an elastic deformation, to obtain rich local details of the augmented inputs | |
| L2T (Zhu et al., 2024) | Optimizing the input-transformation trajectory along the adversarial iteration | |
| BSR (Wang et al., 2024) | Randomly shuffles and rotates the image blocks | |
| Advanced objective | TAP (Zhou et al., 2018) | Maximize the difference of feature maps between benign sample and adversarial example and smooth the perturbation |
| ILA (Huang et al., 2019) | Enlarge the similarity of feature difference between the original adversarial example and benign sample | |
| ATA (Wu et al., 2020) | Add a regularizer on the difference between attention maps of benign sample and adversarial example | |
| YAILA (Li et al., 2020) | Establishe a linear map between intermediate-level discrepancies and classification loss | |
| FIA (Wang et al., 2021) | Minimize a weighted feature map in the intermediate layer | |
| IR (Wang et al., 2021) | Introduces the interaction regularizer into the objective function to minimize the interaction for better transferability | |
| TRAP (Wang et al., 2021) | Utilize affine transformations and reference feature map | |
| TAIG (Huang et al., 2022) | Adopt the integrated gradient to update perturbation | |
| FMAA (He et al., 2022) | Utilize momentum to calculate the weight matrix in FIA | |
| NAA (Zhang et al., 2022) | Compute the feature importance of each neuron with decomposition on integral | |
| RPA (Zhang et al., 2022) | Calculate the weight matrix in FIA on randomly patch-wise masked images | |
| Fuzziness_Tuned (Yang et al., 2023) | The logits vector is fuzzified using the confidence scaling mechanism and temperature scaling mechanism | |
| DANAA (Jin et al., 2023) | Utilize an adversarial non-linear path to compute feature importance for each neuron by decomposing the integral | |
| ILPD (Li et al., 2023) | Decays the intermediate-level perturbation from the benign features by mixing the features of benign samples and adversarial examples | |
| BFA (Wang et al., 2024) | Calcuate the weight matrix in FIA on adversarial examples generated by I-FGSM | |
| Model-related | SGM (Wu et al., 2021) | Utilize more gradients from the skip connections in the residual blocks |
| PNA-PatchOut (Wei et al., 2022) | Ignore gradient of attention and randomly drop patches among the perturbation | |
| IAA (Zhu et al., 2022) | Replace ReLU with Softplus and decrease the weight of residual module | |
| SAPR (Zhou et al., 2022) | Randomly permute input tokens at each attention layer | |
| SETR (Naseer et al., 2022) | Ensemble and refine classifiers after each transformer block | |
| DRA (Zhu et al., 2022) | Use fine-tuned models to push the image away from the original distribution while generating the adversarial examples. | |
| MTA (Qin et al., 2023) | Train a meta-surrogate model (MSM), whose adversarial examples can maximize the loss on a single or a set of pre-trained surrogate models | |
| MUP (Yang et al., 2023) | Mask unimportant parameters of surrogate models | |
| TGR (Zhang et al., 2023) | Scale the gradient and mask the maximum or minimum gradient magnitude | |
| DSM (Yang et al., 2022) | Train surrogate models in a knowledge distillation manner and adopt CutMix on the input | |
| DHF (Wang et al., 2023) | Mixup the feature of current examples and benign samples and randomly replaces the features with their means. | |
| BPA (Wang et al., 2023) | Recover the trunctaed gradient of non-linear layers | |
| AGS (Wang et al., 2024) | Train surrogate models with adversary-centric contrastive learning and adversarial invariant learning | |
| MetaSSA (Weng et al., 2024) | Utilizes low-frequency feature mixing for meta-train to compute gradients, averages gradients through adversarial feature mixing during meta-test, and updates adversarial examples using gradients from both steps. | |
| VDC (Zhang et al., 2024) | Adding virtual dense connections for dense gradient back-propagation in Attention maps and MLP blocks, without altering the forward pass. | |
| Ensemble-based | Ens (Liu et al., 2017) | Generate the adversarial examplesusing multiple models |
| Ghost (Li et al., 2020) | Densely apply dropout and random scaling on the skip connection to generate several ghost networks to average the gradient | |
| SVRE (Xiong et al., 2020) | Use the stochastic variance reduced gradient to update the adversarial example | |
| LGV (Gubri et al., 2022) | Ensemble multiple weight sets from a few additional training epochs with a constant and high learning rate | |
| MBA (Li et al., 2023) | Maximize the average prediction loss on several models obtained by single run of fine-tuning the surrogate model using Bayes optimization | |
| AdaEA (Chen et al., 2023) | Adjust the weights of each surrogate model in ensemble attack using adjustment strategy and reducing conflicts between surrogate models by reducing disparity of gradients of them | |
| CWA (Chen et al., 2023) | Define the common weakness of an ensemble of models as the solution that is at the flat landscape and close to the models' local optima | |
| Generation-based | CDTP (Naseer et al., 2019) | Train a generative model on datasets from different domains to learn domain-invariant perturbations |
| LTP (Nakka et al., 2021) | Introduce a loss function based on such mid-level features to learn an effective, transferable perturbation generator | |
| ADA (Kim et al., 2022) | Utilize a generator to stochastically perturb shared salient features across models to avoid poor local optima and explore the search space thoroughly | |
| GE-ADVGAN (Zhu et al., 2024) | Enhance the transferability of adversarial samples by incorporating gradient editing mechanisms and frequency domain exploration into the generative model's training process. |
| Category | Attack | Main Idea |
|---|---|---|
| Input transformation-based | ODI (Byun et al., 2022) | Diverse inputs based on 3D objects |
| SU (Wei et al., 2023) | Optimize adversarial perturbation on the original and cropped images by minimizing prediction error and maximizing their feature similarity | |
| IDAA (Liu et al., 2024) | Design local mixup to randomly mix a group of transformed adversarial images, strengthening the input diversity | |
| Advanced objective | AA (Inkawhich et al., 2019) | Minimize the similarity of feature difference between the original adversarial example and target benign sample |
| PoTrip (Li et al., 2020) | Introduce the Poincare distance as the similarity metric to make the magnitude of gradient self-adaptive | |
| Logit (Zhao et al., 2021) | Replace the cross-entropy loss with logit loss | |
| Logit-Margin (Weng et al., 2023) | Downscale the logits using a temperature factor and an adaptive margin | |
| CFM (Byun et al., 2023) | Mix feature maps of adversarial examples with clean feature maps of benign images stocastically | |
| FFT (Zeng et al., 2024) | Fine-tuning a crafted adversarial example in the feature space | |
| Generation-based | TTP (Naseer et al., 2021) | Train a generative model to generate adversarial examples, of which both the global distribution and local neighborhood structure in the latent feature space are matched with the target class. |
| Ensemble-based | SASD_WS (Wu et al., 2024) | Incorporate Sharpness-Aware Self-Distillation (SASD) and Weight Scaling (WS) to promote the source model's generalization capability. |
| Category | Attacks | CNNs | ViTs | Defenses | ResNet-18 | ResNet-101 | ResNeXt-50 | DenseNet-101 | ViT | PiT | Visformer | Swin | AT | HGD | RS | NRP |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gradient-based | FGSM | 96.1 | 33.5 | 36.8 | 60.2 | 15.0 | 17.8 | 26.4 | 32.7 | 33.4 | 25.9 | 22.9 | 29.7 |
| I-FGSM | 100.0 | 14.9 | 18.6 | 42.9 | 4.9 | 10.0 | 14.6 | 21.7 | 30.3 | 8.8 | 20.0 | 13.7 | |
| MI-FGSM | 100.0 | 42.9 | 46.3 | 73.9 | 17.2 | 23.8 | 33.7 | 42.5 | 33.1 | 32.0 | 22.4 | 26.5 | |
| NI-FGSM | 100.0 | 43.8 | 47.2 | 77.0 | 16.6 | 21.5 | 33.3 | 43.2 | 33.0 | 33.2 | 22.5 | 27.3 | |
| PI-FGSM | 100.0 | 37.9 | 46.3 | 72.7 | 14.4 | 17.7 | 27.2 | 37.9 | 37.2 | 37.6 | 31.9 | 36.1 | |
| VMI-FGSM | 100.0 | 62.0 | 64.9 | 88.9 | 28.2 | 39.4 | 53.2 | 58.6 | 36.0 | 53.8 | 26.1 | 40.8 | |
| VNI-FGSM | 100.0 | 62.2 | 64.8 | 89.8 | 26.3 | 35.9 | 52.5 | 56.3 | 34.6 | 50.2 | 25.0 | 38.2 | |
| EMI-FGSM | 100.0 | 57.0 | 59.0 | 89.0 | 21.2 | 28.9 | 44.6 | 52.2 | 35.0 | 43.2 | 24.9 | 32.6 | |
| AI-FGTM | 100.0 | 36.2 | 39.6 | 69.5 | 13.9 | 20.1 | 29.7 | 37.3 | 32.0 | 26.9 | 21.7 | 23.5 | |
| I-FGS²M | 100.0 | 22.7 | 27.0 | 54.5 | 9.0 | 12.1 | 20.1 | 28.9 | 30.8 | 16.2 | 20.2 | 16.6 | |
| SMI-FGRM | 99.8 | 40.2 | 44.5 | 77.1 | 14.0 | 21.0 | 30.7 | 43.9 | 36.6 | 31.6 | 26.0 | 30.5 | |
| VA-I-FGSM | 100.0 | 17.7 | 22.4 | 46.9 | 7.2 | 11.2 | 15.0 | 22.7 | 30.3 | 12.7 | 20.1 | 19.2 | |
| RAP | 100.0 | 51.8 | 58.5 | 87.5 | 21.1 | 26.9 | 43.1 | 49.3 | 32.4 | 39.7 | 22.8 | 31.0 | |
| PC-I-FGSM | 100.0 | 42.8 | 46.8 | 74.5 | 17.1 | 23.6 | 33.4 | 42.8 | 32.9 | 32.1 | 22.9 | 29.3 | |
| IE-FGSM | 100.0 | 51.1 | 54.5 | 83.9 | 19.0 | 28.4 | 40.1 | 47.2 | 33.2 | 39.9 | 22.8 | 28.9 | |
| GRA | 100.0 | 67.9 | 70.0 | 93.9 | 30.3 | 39.3 | 54.5 | 64.2 | 40.8 | 61.0 | 35.1 | 54.8 | |
| GNP | 100.0 | 50.3 | 55.4 | 82.7 | 21.5 | 26.9 | 39.5 | 47.0 | 33.3 | 40.4 | 24.1 | 30.6 | |
| MIG | 100.0 | 54.3 | 58.0 | 87.2 | 22.9 | 31.3 | 44.3 | 53.5 | 37.5 | 47.7 | 26.5 | 39.8 | |
| DTA | 100.0 | 50.6 | 54.8 | 82.5 | 18.1 | 26.0 | 40.2 | 44.8 | 33.0 | 40.6 | 23.1 | 29.2 | |
| PGN | 100.0 | 69.3 | 73.3 | 94.7 | 32.7 | 42.9 | 56.0 | 66.5 | 40.5 | 63.3 | 34.9 | 56.9 | |
| NCS | 100.0 | 80.5 | 82.9 | 96.8 | 45.6 | 54.3 | 68.6 | 75.1 | 41.3 | 74.6 | 36.3 | 62.6 | |
| ANDA | 100.0 | 74.4 | 78.9 | 96.9 | 42.0 | 50.4 | 65.8 | 69.0 | 38.0 | 71.8 | 26.9 | 42.9 | GI-FGSM | 100.0 | 48.0 | 53.6 | 81.7 | 17.8 | 24.9 | 38.3 | 45.4 | 34.0 | 36.9 | 23.7 | 31.2 |
| Input transformation-based | DIM | 100.0 | 62.7 | 67.3 | 90.3 | 29.5 | 37.1 | 53.7 | 58.7 | 36.5 | 58.5 | 24.9 | 36.0 |
| TIM | 100.0 | 37.2 | 45.0 | 71.8 | 15.5 | 19.6 | 29.3 | 39.1 | 37.4 | 35.2 | 32.5 | 37.4 | |
| SIM | 100.0 | 59.9 | 63.1 | 89.9 | 24.8 | 34.1 | 51.0 | 53.9 | 36.1 | 52.0 | 25.1 | 38.2 | |
| DEM | 100.0 | 76.4 | 78.8 | 97.3 | 39.9 | 45.6 | 66.0 | 67.0 | 38.6 | 78.6 | 30.5 | 47.3 | |
| Admix | 100.0 | 68.2 | 71.8 | 95.1 | 30.0 | 38.6 | 56.1 | 60.5 | 37.6 | 60.1 | 27.6 | 44.2 | |
| ATTA | 100.0 | 46.6 | 50.3 | 79.4 | 17.5 | 26.3 | 37.3 | 45.3 | 33.8 | 38.1 | 22.8 | 30.4 | |
| MaskBlock | 100.0 | 49.2 | 51.4 | 78.6 | 18.0 | 25.1 | 38.1 | 45.6 | 33.9 | 36.8 | 22.9 | 30.5 | |
| SSM | 99.9 | 70.5 | 73.8 | 93.5 | 30.4 | 39.4 | 54.5 | 63.3 | 37.2 | 62.1 | 29.2 | 50.9 | |
| AITL | 99.5 | 78.9 | 82.4 | 96.3 | 46.4 | 51.4 | 68.1 | 71.1 | 41.8 | 79.7 | 32.9 | 53.1 | |
| PAM | 100.0 | 56.5 | 58.5 | 89.1 | 19.7 | 29.7 | 42.8 | 49.9 | 36.3 | 48.0 | 25.0 | 36.0 | |
| LPM | 100.0 | 52.7 | 55.4 | 82.6 | 22.0 | 29.0 | 42.4 | 46.6 | 33.6 | 41.1 | 23.7 | 31.5 | |
| SIA | 100.0 | 87.5 | 90.5 | 99.1 | 43.5 | 57.8 | 77.5 | 78.0 | 39.2 | 81.4 | 28.8 | 51.9 | |
| STM | 100.0 | 75.4 | 77.2 | 96.1 | 35.7 | 45.2 | 61.5 | 68.1 | 40.9 | 70.7 | 32.5 | 58.8 | |
| USMM | 100.0 | 74.0 | 78.1 | 96.4 | 33.7 | 45.3 | 62.8 | 64.8 | 40.0 | 66.1 | 29.4 | 50.8 | |
| DeCowA | 100.0 | 84.8 | 87.7 | 98.6 | 53.6 | 64.0 | 79.5 | 79.7 | 43.6 | 85.7 | 35.2 | 56.0 | |
| L2T | 100.0 | 88.4 | 89.9 | 98.8 | 50.7 | 64.2 | 79.6 | 79.7 | 43.0 | 86.7 | 32.9 | 60.6 | |
| BSR | 100.0 | 85.4 | 87.9 | 99.1 | 42.9 | 56.9 | 74.6 | 77.0 | 38.6 | 80.1 | 27.3 | 48.1 | |
| Advanced objective | TAP | 100.0 | 38.5 | 42.4 | 72.0 | 14.3 | 17.9 | 28.5 | 34.2 | 31.6 | 28.9 | 20.8 | 25.9 |
| ILA | 100.0 | 45.6 | 51.9 | 77.8 | 15.2 | 21.6 | 35.3 | 44.4 | 32.0 | 31.5 | 20.1 | 22.9 | ATA | 100.0 | 16.4 | 19.6 | 41.8 | 5.9 | 8.9 | 14.4 | 21.4 | 30.4 | 10.0 | 20.5 | 15.7 |
| YAILA | 51.5 | 26.2 | 28.5 | 49.0 | 6.7 | 11.4 | 16.5 | 25.7 | 29.3 | 13.4 | 18.8 | 14.7 | |
| FIA | 99.5 | 31.0 | 36.4 | 65.3 | 10.2 | 16.3 | 24.4 | 35.3 | 31.4 | 18.9 | 21.1 | 19.9 | |
| IR | 100.0 | 42.0 | 45.3 | 74.0 | 16.7 | 23.4 | 33.4 | 40.9 | 40.8 | 32.2 | 28.0 | 22.8 | |
| TRAP | 96.9 | 63.2 | 66.7 | 85.1 | 23.6 | 33.3 | 52.8 | 56.5 | 33.0 | 56.8 | 20.6 | 26.2 | |
| TAIG | 100.0 | 26.0 | 29.1 | 62.0 | 8.4 | 14.1 | 21.8 | 32.4 | 32.3 | 18.3 | 20.9 | 18.2 | |
| FMAA | 100.0 | 39.5 | 44.6 | 80.3 | 11.1 | 20.1 | 29.4 | 41.2 | 32.4 | 25.9 | 21.3 | 22.3 | |
| NAA | 99.5 | 56.5 | 58.9 | 80.8 | 23.9 | 33.9 | 46.8 | 54.5 | 34.8 | 44.2 | 23.9 | 36.8 | |
| RPA | 100.0 | 62.5 | 68.7 | 91.6 | 23.7 | 34.2 | 49.6 | 57.0 | 35.8 | 56.3 | 26.7 | 39.1 | |
| Fuzziness_Tuned | 100.0 | 39.9 | 46.5 | 75.3 | 15.6 | 21.2 | 31.5 | 38.9 | 33.1 | 29.9 | 27.6 | 22.8 | |
| DANAA | 100.0 | 59.6 | 63.8 | 90.4 | 17.3 | 26.4 | 44.7 | 49.8 | 34.8 | 44.9 | 23.4 | 32.4 | |
| ILPD | 70.6 | 68.0 | 68.0 | 72.0 | 31.8 | 46.1 | 52.6 | 55.9 | 33.8 | 50.7 | 24.0 | 50.0 | |
| BFA | 100.0 | 77.8 | 79.7 | 96.7 | 28.9 | 43.4 | 64.2 | 65.9 | 35.9 | 65.6 | 25.7 | 41.0 | |
| Model-related | SGM | 100.0 | 48.4 | 50.9 | 78.5 | 20.1 | 28.7 | 39.7 | 48.3 | 34.9 | 37.5 | 24.2 | 30.9 |
| PNA-PatchOut | 47.5 | 34.3 | 36.5 | 45.8 | 81.3 | 39.1 | 40.9 | 53.0 | 31.7 | 29.0 | 22.5 | 27.1 | |
| IAA | 100.0 | 44.2 | 50.6 | 85.1 | 12.8 | 19.6 | 32.8 | 40.4 | 33.3 | 29.4 | 22.0 | 26.0 | |
| SAPR | 66.4 | 50.3 | 53.2 | 65.6 | 96.7 | 57.5 | 60.4 | 75.4 | 35.4 | 41.8 | 24.8 | 31.9 | |
| SETR | 72.6 | 36.6 | 43.4 | 64.5 | 54.3 | 33.6 | 43.5 | 68.8 | 36.5 | 31.6 | 25.5 | 50.7 | |
| DRA | 99.4 | 91.0 | 90.7 | 98.5 | 75.7 | 79.5 | 87.0 | 89.2 | 69.2 | 92.6 | 68.3 | 82.4 | |
| MTA | 82.4 | 44.2 | 46.8 | 74.9 | 12.6 | 17.9 | 31.7 | 41.0 | 30.4 | 34.5 | 19.1 | 19.2 | |
| MUP | 100.0 | 50.7 | 51.0 | 81.2 | 18.5 | 26.3 | 37.4 | 43.3 | 33.8 | 37.1 | 22.7 | 29.6 | |
| TGR | 70.8 | 48.1 | 52.6 | 68.2 | 98.3 | 56.0 | 61.8 | 73.4 | 36.6 | 43.5 | 28.0 | 36.9 | |
| DSM | 98.9 | 60.4 | 66.3 | 91.9 | 23.8 | 33.8 | 49.3 | 56.2 | 34.7 | 48.7 | 24.3 | 34.1 | |
| DHF | 100.0 | 70.4 | 72.1 | 92.3 | 31.5 | 43.4 | 59.8 | 61.9 | 35.9 | 59.8 | 25.5 | 40.2 | |
| BPA | 100.0 | 59.0 | 63.9 | 88.1 | 22.8 | 32.0 | 47.6 | 54.4 | 35.1 | 47.3 | 26.1 | 37.7 | |
| AGS | 86.1 | 55.8 | 60.3 | 81.6 | 29.0 | 22.0 | 46.7 | 46.1 | 37.8 | 62.2 | 27.4 | 39.4 | |
| MetaSSA | 100.0 | 72.8 | 78.3 | 96.0 | 41.3 | 51.3 | 64.3 | 64.8 | 40.7 | 75.4 | 31.5 | 55.1 | |
| VDC | 68.1 | 47.9 | 53.0 | 65.5 | 99.8 | 56.7 | 62.0 | 73.1 | 35.8 | 43.9 | 27.0 | 35.1 | |
| Ensemble-based | ENS | 100.0 | 91.7 | 92.5 | 100.0 | 38.7 | 53.0 | 66.6 | 66.4 | 33.5 | 67.8 | 24.7 | 56.1 |
| Ghost | 64.4 | 93.9 | 63.1 | 66.9 | 19.1 | 29.7 | 39.5 | 42.3 | 31.2 | 36.1 | 21.2 | 54.7 | |
| SVRE | 100.0 | 97.7 | 98.0 | 100.0 | 40.6 | 54.4 | 69.9 | 69.5 | 33.8 | 74.9 | 24.1 | 59.7 | |
| LGV | 97.7 | 69.5 | 69.4 | 93.6 | 23.1 | 29.2 | 43.7 | 51.5 | 34.5 | 52.9 | 24.5 | 37.3 | |
| MBA | 100.0 | 96.0 | 95.2 | 99.8 | 41.9 | 51.8 | 75.1 | 76.8 | 39.5 | 86.1 | 28.7 | 52.1 | |
| AdaEA | 100.0 | 91.9 | 92.7 | 100.0 | 39.4 | 52.4 | 67.3 | 67.0 | 33.9 | 69.6 | 24.3 | 58.0 | |
| CWA | 99.7 | 98.3 | 99.1 | 100.0 | 33.9 | 47.7 | 66.4 | 65.0 | 35.8 | 69.4 | 24.9 | 68.9 | |
| Generation-based | CDTP | 72.8 | 29.9 | 39.8 | 64.6 | 10.5 | 18.7 | 37.4 | 35.7 | 32.6 | 34.8 | 20.7 | 48.7 |
| LTP | 99.1 | 98.7 | 98.7 | 99.5 | 45.1 | 69.4 | 92.1 | 90.2 | 31.7 | 96.5 | 21.6 | 29.7 | |
| ADA | 69.9 | 47.5 | 45.2 | 63.6 | 8.5 | 11.2 | 31.7 | 29.4 | 29.4 | 37.0 | 20.6 | 16.3 | |
| GE-ADVGAN | 97.7 | 47.7 | 59.8 | 73.4 | 13.8 | 8.2 | 22.6 | 23.2 | 31.1 | 52.5 | 34.0 | 33.0 | |
| Category | Attacks | CNNs | ViTs | Defenses | ResNet-18 | ResNet-101 | ResNeXt-50 | DenseNet-101 | ViT | PiT | Visformer | Swin | AT | HGD | RS | NRP | Input transformation-based | ODI | 98.9 | 38.6 | 45.5 | 67.0 | 9.4 | 13.9 | 29.5 | 19.9 | 0.1 | 41.4 | 0.0 | 1.0 | SU | 99.2 | 7.2 | 8.0 | 19.7 | 0.1 | 0.6 | 2.1 | 1.8 | 0.1 | 2.1 | 0.0 | 0.2 | IDAA | 87.1 | 2.6 | 3.0 | 13.0 | 1.3 | 1.8 | 2.1 | 3.3 | 0.4 | 1.5 | 0.0 | 0.1 | Advanced objective | AA | 5.0 | 0.7 | 0.7 | 0.9 | 0.3 | 0.3 | 0.3 | 0.1 | 0.0 | 0.2 | 0.0 | 0.0 | PoTrip | 100.0 | 3.2 | 5.1 | 15.7 | 0.1 | 0.3 | 1.3 | 1.1 | 0.0 | 3.0 | 0.0 | 0.2 | Logit | 99.0 | 13.5 | 18.5 | 38.5 | 1.9 | 2.9 | 8.3 | 3.8 | 0.1 | 14.4 | 0.0 | 0.3 | Logit-Margin | 100.0 | 13.6 | 19.1 | 42.8 | 1.8 | 3.3 | 8.4 | 4.4 | 0.0 | 14.0 | 0.0 | 0.2 | CFM | 98.3 | 39.6 | 44.8 | 66.1 | 9.6 | 11.4 | 26.6 | 18.9 | 0.2 | 37.6 | 0.0 | 1.6 | FFT | 99.8 | 17.5 | 21.6 | 45.1 | 1.3 | 2.8 | 10.3 | 6.6 | 0.1 | 13.2 | 0.0 | 0.4 | Generation-based | TTP | 96.2 | 19.6 | 27.4 | 62.4 | 3.2 | 4.3 | 19.5 | 5.3 | 0.0 | 0.0 | 0.3 | 4.1 | Ensemble-based | SASD_WS | 91.7 | 70.9 | 76.9 | 91.5 | 13.7 | 22.5 | 39.9 | 29.0 | 0.1 | 64.7 | 0.1 | 5.7 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Xiaosen Wang |
Zeyuan Yin |
Zeliang Zhang |
Kunyu Wang |
Zhijin Ge |
Yuyang Luo |
