1. Akshay Agarwal, Mayank Vatsa, Richa Singh, and Nalini K. Ratha. 2020. Noise is inside me! generating adversarial perturbations with noise derived from natural filters. In IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops. 774–775.
2. There are no bit parts for sign bits in black-box attacks;Al-Dujaili Abdullah;arXiv preprint arXiv:1902.06894,2019
3. Rima Alaifari, Giovanni S. Alberti, and Tandri Gauksson. 2018. ADef: An iterative algorithm to construct adversarial deformations. In International Conference on Learning Representations.
4. Maksym Andriushchenko, Francesco Croce, Nicolas Flammarion, and Matthias Hein. 2020. Square attack: A query-efficient black-box adversarial attack via random search. In European Conference on Computer Vision. Springer, 484–501.
5. Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning. PMLR, 274–283.