2020 25th International Conference on Pattern Recognition (ICPR)

Milan, Italy, Jan 10-15, 2021

Defense Mechanism Against Adversarial Attacks

Using Density-based Representation of Images
Yen-Ting Huang Wen-Hung Liao Chen-Wei Huang

Department of Computer Science Department of Computer Science Department of Computer Science

National Chengchi University National Chengchi University National Chengchi University
Taipei, TAIWAN Taipei, TAIWAN Taipei, TAIWAN
Email: ythuang.peter@gmail.com Email: whliao@gmail.com Email: waylon-09@hotmail.com

Abstract—Adversarial examples are slightly modified inputs

devised to cause erroneous inference of deep learning models.
Protection against the intervention of adversarial examples is
a fundamental issue that needs to be addressed before the
wide adoption of deep-learning based intelligent systems. In this
research, we utilize the method known as input recharacteri-
2020 25th International Conference on Pattern Recognition (ICPR) | 978-1-7281-8808-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICPR48806.2021.9412472

zation to effectively eliminate the perturbations found in the

adversarial examples. By converting images from the intensity
domain into density-based representation using halftoning oper-
ation, performance of the classifier can be properly maintained.
With adversarial attacks generated using FGSM, I-FGSM, and
PGD, the top-5 accuracy of the hybrid model can still achieve
80.97%, 78.77%, 81.56%, respectively. Although the accuracy
has been slightly affected, the influence of adversarial examples is
significantly discounted. The average improvement over existing
input transform defense mechanisms is approximately 10%.

I. I NTRODUCTION
Recent advances in deep neural networks have brought
forth revolutionary breakthroughs in many areas, including
object recognition, identity authentication, natural language
processing, and image generation. Driven by the emergence of
big data and hardware acceleration, deep learning can exploit
more abstract levels of representation to capture the charac-
teristics of the data. However, recent research has found that
deep neural networks are susceptible to adversarial examples
[1], which are produced by adding visually imperceptible
perturbations to image pixels. Adversarial examples are not
easily detectable by humans, but they can easily deceive
deep neural networks. Therefore, adversarial vulnerabilities of
neural networks have become one of the most important risks
in security-sensitive applications [2]–[4]. The presence of
adversarial examples has accelerated researches on developing
defense mechanisms aimed to improve the robustness of these
learning-based models.
According to [6], [13], the existence of adversarial examples
can be attributed to mapping discontinuity in high-dimensional
decision space for deep learning models. As illustrated in
Fig. 1, the decision boundary of the trained model is very close
to the real data distribution. By adding subtle adversarial per-
turbations to the test sample, the model would misclassify the
slightly modified input. The problem is formally formulated
as follows.
Fig. 1: Illustration of adversarial example generation [5].
argmin k  k2 , s.t.F(X + ; θ) 6= F(X ; θ) (1)

where  denotes the perturbation added, F represents the
classification model, and θ refers to the model parameters.
One possible approach to counter adversarial attacks is to
pre-process the input data so that it will fall into the correct
side of the decision boundary afterward. The authors in [9]
investigate defense strategies based on image transformations
such as bit-depth reduction, JPEG compression, total variance
minimization, and image quilting. By altering particular statis-
tics of the input images, they hope to change the structure
of these perturbations and reduce their adversarial effects.
However, both total variance minimization and image quilting,
which exhibit stronger defense performance in their exper-
iments, require high computational resources. The strength
of their proposed strategy can also be further enhanced. Our
objective is to devise a lightweight defense measure based
on domain transformation to effectively counter adversarial
attacks in image classification tasks.
Our proposed defense mechanism converts an input image
from the intensity domain to the density domain as depicted

978-1-7281-8808-9/20/$31.00 ©2020 IEEE 3499

Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.
 Fig. 2: Possible means of recharacterizing adversarial input.
Fig. 2, an operation that is termed input recharacterization in
this research. Specifically, input recharacterization can consist
of two stages: a forward conversion (C) and an optional
backward reconstruction (R). Our hope is that by going
through the lossy one-way (C) or two-way transformation(C
and R), the purposely added ’noise’ or ’perturbation’ will
become ineffective. In other words, we would like to verify if
one of the following three conditions will be satisfied using
the proposed transformation.
F(C(X + ); δ) = F(X ; θ)
F(R(C(X + )); θ) = F(X ; θ)
F(R(C(X + )); θ̂) = F(X ; θ) (4)
Eq.(2) refers to the case when forward conversion with
retraining in the transformed domain can handle the attack.
Eq.(3) indicates when a two-stage processing eliminates the
perturbation. Eq. (4) holds if a two-way transformation plus
model retraining are effective in resisting adversarial attacks.
In this work, we employ digital halftoning and inverse halfton-
ing as the domain transfer approach.
Our key findings and main contributions are summarized as
follows. 1) We have generalized the input transform scheme
for adversarial defense into input recharacterization and inves-
tigated its efficacy under different settings. 2) We demonstrated
that input transform based method can exhibit resistance to
adversarial examples only through model retraining, and 3) We
found out that one way transformation into halftone domain,
i.e., density-based representation, achieves best performance
in terms of classification accuracy and robustness against
adversarial attacks.
The rest of the paper is organized as follows. In Section
2, we briefly review attack and defense mechanisms for DNN
models. Section 3 describes the proposed input recharacteri-
zation approach in detail. Section 4 reports quantitative exper-
imental results compared with previous image transformation
methods. Finally, Section 5 summarizes our work with a brief
conclusion.
II. R ELATED W ORK
A. Defense Mechanisms
To prevent adversarial attacks from harming safety-critical
applications, various defense strategies have been proposed.
Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.
They can be categorized into three main groups: gradient
masking [7], [8], input transformation [9] and adversarial
training [10]. 1) gradient masking: Because most of attack
approaches rely on computing gradients for generating per-
turbations, reducing or obfuscating the gradient information
can protect trained models against distance-based optimization
methods. For example, bit-depth reduction [7] and defensive
distillation [8] are examples of gradient masking. 2) input
transformation: Without changing the network architectures
and weights, these methods adopted pre-processing approaches
(2) to decrease the interference in the adversarial images. After
transforming the input images, classifiers may not be misled by
(3) the adversarial examples. 3) adversarial training: These types
of methods are mainly adopted to strengthen the robustness
of the model. They augment training data with adversarial
examples and then retrain the network. It effectively modifies
the decision boundary, so the retrained model can correctly
identify these adversarial examples.
Among these possible strategies, adversarial training is
widely considered to be an effective option for defenses.
However, high computational cost of generating adversarial
examples and retraining a model are impractical for most real-
world scenarios. Our proposed approach is similar to input
transformation, which requires less computation. Compared
to TVM [11] or image quilting [12] that attempt to replace
or revise the patches of perturbations, our proposed input
recharacterization method converts the whole image from
intensity-based representation to density-based representation
using halftone operation. We hope the conversion process can
invalidate the attacks by moving all samples to an entirely new
representation domain.
B. Adversarial Attacks
We describe several representative attacks that would be
applied to validate the effectiveness of our defense mechanism
in the experiment section. Szegedy et al. firstly identified
the vulnerability of deep neural networks, and L-BFGS was
devised to fool DNN models in classification tasks [1]. It gen-
erates adversarial samples by adding perturbations constrained
by L2 norm on the input image. Goodfellow et al. discovered
the vulnerability may result from the linearity of networks
in high dimension and proposed Fast Gradient Sign Attack
(FGSM) [13] to efficiently produce adversarial samples. This
approach updates the image pixels along the gradient direction
3500
of the cost function in one step. Owing to the efficiency of
FGSM, researchers have extended FGSM to produce other
types of adversarial samples. For example, Iterative-Fast Gra-
dient Sign Method (I-FGSM) [14] takes multiple iterations for
optimization. Madry et al. proposed projected gradient descent
(PGD) [15] to improve the FGSM by projecting the prediction
result into the constraint set after each iteration.
On the other hand, Jacobian-based Saliency Map Attack
(JSMA) proposed by Papernot et al. [16] exploited saliency
map, which was used to visualize the prediction results of
models [18], to create deception. The saliency map based on
the gradient of the forward-pass of the neural network exhibits
the most influential input pixels, and the greedy algorithm
is applied to iteratively modify the input image in order to
generate the adversarial example.
In order to guarantee the correctness of attack models in
our research, we employed Adversarial Robustness Toolbox
(ART) [17], which is maintained by IBM, to conduct our ex-
periments. This toolbox provides various state-of-the-art threat
models for verifying model robustness and the effectiveness of
proposed defense strategies. By using the implemented attack
and defense approaches in the toolbox, we can ensure fairness
when making comparative analysis in our experiments.
C. Domain Transformation: Digital Halftoning
Halftoning techniques are used in the early stage of printed
photos. It can emulate the continuous-tone photograph by
resampling an image with a series of dots of different sizes or
space. The larger or denser dots correspond to the dark areas in
a continuous-tone image. The result is a binary representation
of the input image that retains the overall scene structure.
Human have little problem recognizing objects in halftone
images provided the original image has sufficient resolution.
The halftoning operation maps the original intensity to
cluster of points with various density. Unlike other input
transform methods whose output still lie in the same intensity
domain, halftone images can be viewed as a novel discon-
tinuous density-based representation. Therefore, perturbations
generated in the continuous intensity domain might lose their
capability when entering a totally new territory. In this work,
we use the Floyd-Steinberg error diffusion kernel [19] perform
the halftone mapping.
The process of converting the halftoning image back to the
the continuous-tone image is referred to as inverse halftoning.
The inverse halftoning methods are mainly divided into three
categories: frequency or spatial filtering [20], adaptive filtering
[21], and deep learning [22]–[24]. The first two methods
statistically smooth the image pixels by eliminating high-
frequency information so as to restore the original image.
However, the image after the operation of the low-pass filter
will become more blurred compared to the original one.
Although the inverse halftoning method with deep learning
techniques requires a large amount of training costs, the inver-
sion result can achieve the best quality among current methods.
In this work, we employ wavelet-based inverse halftoning via
deconvolution (WInHD) [25] due to its ability to generalize to
3501
Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.
unseen images. In addition, instead of focusing on high-quality
reconstruction of images, our main task is to demonstrate that
input recharacterization can resist adversarial attacks.
III. P ROPOSED D EFENSE M ECHANISM
Our core guideline is to perform effective defense on adver-
sarial examples without incurring excessive computing costs.
We aim to explore these three hypothesis :1) the transferability
of adversarial examples between intensity-based and density-
based domain: If adversarial perturbations are added in the
intensity-based domain, it would not cause misclassification
for the model trained in the density-based domain. The di-
rection of the gradient for optimization-based attacks in one
domain is not equivalent to the direction of the gradient in
another domain due to the change of decision boundaries for
different models 2) the attackability under the density-based
representation: The density-based representation simulates the
gradient variation for the intensity-based image through error
fusion, which is expressed in binary patterns. The existing
adversarial attacks might not achieve the same success in
density representation as intensity representation. To be more
specific, it would make contradiction of the assumption that
the adversarial perturbation is non-perceivable to human eyes.
3) the feasibility of invalidating attacks with two-stage input
recharacterization: The halftoning method is designed by both
quantizing the pixels and weighting the error with proximity
relationships. At the same time, inverse halftoning is used to
recover the details in the intensity domain. Therefore, whether
the lossy transformation between these two representations
would indirectly purify the slight adversarial disturbances is
the question we aim to investigate. If that is the case, it
may allow the model to correctly classify the image without
retraining.
For the first and third hypotheses, we will use different
representation images as our training data, which are grayscale
images (intensity-based representation) and halftone images
(density-based representation). Both are trained with the VGG-
16 model for 300 epochs. There are three types of training
models in this study: grayscale model, halftone model, and
hybrid model. Heterogeneous data consisting of a mixture of
halftone and grayscale images, are used to train the hybrid
model. We attempt to examine whether the hybrid model can
learn more general and abstract feature to counter adversarial
examples. In summary, we not only plan to validate the model
trained on individual input representation, but also consider
the fusion of these two domains to enhance robustness against
adversarial attacks.
For the second hypothesis, we adjust the existing adversarial
attack mechanisms based on gradient optimization to confuse
the model trained on density-based representation. We aim to
confirm whether it can generate effective adversarial samples
on the density domain. Compared to distance metrics of l1 ,
l2 , and l∞ to generate adversarial examples, l0 -norm is more
intuitive and suitable for attacking halftone image with binary
pattern. We extend two attack methods, namely, Projected
Gradient Descent Attack(PGD) and Jacobian-based Saliency
 Fig. 3: Flowchart of our defense mechanism.
Fig. 4: Performing halftone operation on images of different
resolutions: (a) CIFAR-10 32x32 (b) Tiny-ImageNet 128x128
Map Attack (JSMA), to assess the feasibility of producing
adversarial attacks in halftone images. The parameters of
modified PGD attack are set to  = 1, α = 1, and iteration =
1. By changing the pixel value (1 to 0 or 0 to 1) at each
step, it can generate adversarial examples in density-based
domain. On the other hand, the JSMA attack would iteratively
change the maximal-salient pixel pair from the saliency map.
We can also use the same procedure to change the pixel pair
to 0 or 1 to confuse the model. We will investigate these two
attack methods with respect to global and local adversarial
perturbations in our subsequent experiments.
CIFAR-10 and CIFAR-100 are two datasets often used to
verify the effectiveness of adversarial attacks. However, the
image resolution is too low for effective halftone transform, as
depicted in Fig. 4(a). Instead of using CIFAR-10 and CIFAR-
100 for training, we employ Tiny-ImageNet in this study. The
dataset contains 200 categories with a total of 260 thousand
images as training data. The test data contains 50 images
per class. We resize all of the images to 128x128 pixels to
allow faster processing. The corresponding halftone images
are shown in Fig. 4(b).
3502
Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.
IV. E XPERIMENTAL R ESULTS
Three sets of experiments have been conducted to evaluate
the performance of our proposed method, namely, transfer-
ability of adversarial examples between domains, attackability
under the density-based representation, and the feasibility of
invalidating attacks with two-stage input recharacterization.
For the first and third task, we will conduct detailed quan-
titative comparisons to reveal the efficacy of the proposed
defense strategy. For the second task, we will mainly focus
on assessing the visual quality of the perturbed images using
global and local adversarial perturbations.
A. Transferability of Adversarial Examples
To begin with, we trained baseline models using density-
based, intensity-based and hybrid representations. We then
apply FGSM, I-FGSM, and PGD attacks to test their defense
efficiencies. The epsilon parameter of the adversarial attacks
is set to 0.04 and iteration is 100 for I-FGSM and PGD
attacks. The results are summarized in Table I. We notice
that whatever attack method is used to confuse the model, the
top-5 accuracy for the halftone model remains approximately
the same. Although the top-1 accuracy drops about 3% on
FGSM and PGD attacks and decrease 9% on I-FGSM attack,
its ability to invalidate a large amount of the adversarial
perturbations is confirmed. On the other hand, the hybrid
model is also capable of countering the adversary, and even
achieved higher performance than halftone model on FGSM
attack.
The proposed method outperforms other input transform
approaches by a remarkable 10∼20% improvement in top-
1 accuracy as shown in Table I. These experimental results
are consistent with our first hypothesis that the model trained
on different domain would have different decision boundary.
As a result, the gradient-based attack method cannot transfer
the perturbations to another domain. To our surprise, if we
consider adversarial examples in both intensity-based and
 TABLE I: Performance of different input transform schemes
Hybrid Hybrid
Attack Accuracy Defense Cropping and Rescaling TVM Grayscale Halftone
(intensity) (density)
Top-1 56.98 59.13 62.0 61.1 66.01 60.06
Baseline
Top-5 77.23 78.56 76.5 80.4 85.14 82.31
Top-1 43.65 36.46 12.0 57.78 59.93 59.40
FGSM
Top-5 69.96 69.07 31.4 80.34 81.13 80.97
Top-1 45.10 43.15 10.1 52.01 34.93 52.51
I-FGSM
Top-5 72.52 70.21 17.4 78.35 69.31 78.77
Top-1 45.68 39.13 10.1 57.23 48.69 58.03
PGD
Top-5 73.26 67.29 17.4 80.91 77.46 81.56

density-based domain, the hybrid model accomplishes even
higher scores than halftone model on all types of attacks.
B. Launching Attacks in the Halftone Domain
The basic requirement of an adversarial attack is that the
polluted samples cannot deviate from the original images
too much such that the artifact becomes easily detectable by
human observer. In other words, if the attack scheme has to
add significant perturbations to an image in order to confuse
the classifier, it may not be qualified as an effective adversarial
attack. We argue that this is the case for halftone images.
To validate our claim, we will perform two types of attacks
to images using density-based representation. We will then
examine the visual quality of the polluted images to check
whether attacks in the halftone domain are feasible.
1) Global Adversarial Perturbations: PGD Attack: To
investigate the attackability using global adversarial perturba-
tion, we use PGD attack to generate adversarial examples on
the halftone model. We set the parameters of PGD, where  =
1, α = 1, and iteration = 1. It would only alter the pixel
value with ±1 at a time. The result is shown in Fig. 5. The
polluted image is completely different from original one, and it
becomes extremely difficult to distinguish the shape of the fish
and the frog. To further confirm that the adversarial example
is indeed generated, we also perform targeted attack, which
would mislead the model to predict the input image to category
0. The model classifies the adversarial image to category 0
with 94.3% confidence. It is therefore safe to conclude that the
existing attack methods based on global gradient optimization
cannot be applied to images with density representation.
Fig. 5: Adding global perturbations in the halftone domain
using PGD.
2) Local Adversarial Perturbations: JSMA Attack: In this
experiment, we apply the greedy method to find the most
influential pixel in the saliency map for performing JSMA
attack. In order to assess the image quality at different levels
of attacks, we generate adversarial examples with 10%, 20%,
and 30% modification. As shown in Figure b, the overall shape
of the fish does not change significantly at the ratio of 10%.
The top-5 accuracy of the model still maintains at around
77%. However, as the modification ratio increases, the image
becomes gradually unidentifiable and suffers a significant drop
in accuracy. This again confirms the difficulty in setting up
effective attacks in density-based representation.
Fig. 6: Generating different levels of local perturbations using
JSMA.
C. Feasibility of Invalidating Attacks with Two-stage Input
Recharacterization
In the third experiment, we will discuss whether the two-
way lossy transform can effectively eliminate the effects of
adversary. That is, we attempt to verify whether the model
without retraining is capable of handling the processed ad-
versarial samples. In table II, we found that both halftone
and hybrid model cannot accurately predict the images with
the two-way transformation. The image operated by inverse
halfton is shown in Fig 3, and it shows that two-way image
recharacterization would result in excessive loss of texture.
Therefore, degraded images with different discriminative fea-
tures cause the original decision boundary to be unsuitable for
classifying the inverse halftone images. The transformation to
the density-based domain is to quantize images to simulate
pixel changes in the intensity domain. After quantization and
error fusion, the image details, especially the high frequency
components, are lost. Conversion back to intensity domain
using WInHD cannot recover the detailed texture. In table I
and II, the drop in the recognition accuracy caused by the
inverse halftone transformation is greater than the halftone
transformation in the process of two-way conversion.
When comparing the accuracy before and after the adver-
sarial attacks, we notice that disrupted features still possesses
the capability of misleading the trained model. Although the
influence is less apparent, it deserves further exploration and
discussion. We can study the phenomenon from perspective

3503

Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.
 TABLE II: One-way vs. two-stage transformation for defending adversarial attacks
Grayscale Grayscale Hybrid Hybrid
Attack Accuracy Defense
(Original) (Inverse) (Original) (Inverse)
Top-1 62.0 12.0 66.01 26.32
Baseline
Top-5 76.5 27.9 85.14 46.64
Top-1 12.0 9.8 59.93 23.11
FGSM
Top-5 31.4 24.1 81.13 42.26
Top-1 10.1 8.30 34.93 20.63
I-FGSM
Top-5 17.4 22.05 69.31 40.23
Top-1 10.1 9.33 48.69 21.57
PGD
Top-5 17.4 23.41 77.46 41.50

of [26], which considers that adversarial examples are kind
of features. Although the two-way lossy transformation can
reduce certain types of noise, the characteristics of the ad-
versarial samples still remain. The input recharacterization
exhibits certain degrees of purifying effects on adversarial
perturbations. Unless visual patterns of CNN models can be
fully modeled, it is difficult to remove the adversarial features
without interfering with the identification of the model. For
example, if we use a simple conversion such as denoising
models to remove the adversarial perturbations, it would also
adversely modify the visual features for trained models and
leads to decrease in model accuracy.
V. C ONCLUSION
A lightweight procedure to counter adversarial attacks has
been proposed in this research. By converting the input im-
age into halftone representation, the perturbations purposely
added to confuse the classifier can be effectively eliminated.
Additionally, launching adversarial attacks without detectable
artifacts in the halftone domain is extremely difficult as it is
essentially a binary representation. This particular form of in-
put recharacterization proves to a suitable defense mechanism
against many existing attacks. Future work will investigate
its efficacy in other DNN models as well as more forms of
adversarial attacks.
ACKNOWLEDGEMENT
This work was partially supported by The Ministry of Sci-
ence and Technology, Taiwan, under GRANT No. MOST108-
2221-E-004-008 and MOST109-2634-F-004-001 through Per-
vasive Artificial Intelligence Research (PAIR) Labs.
R EFERENCES
[1] Szegedy, Christian, et al. ”Intriguing properties of neural networks.” arXiv
preprint arXiv:1312.6199 (2013).
[2] Abadi, Martin, et al. ”Deep learning with differential privacy.” Pro-
ceedings of the 2016 ACM SIGSAC Conference on Computer and
Communications Security. 2016.
[3] Shokri, Reza, et al. ”Membership inference attacks against machine
learning models.” 2017 IEEE Symposium on Security and Privacy (SP).
IEEE, 2017.
[4] Biggio, Battista, Giorgio Fumera, and Fabio Roli. ”Security evaluation
of pattern classifiers under attack.” IEEE transactions on knowledge and
data engineering 26.4 (2013): 984-996.
[5] Papernot, Nicolas and Goodfellow. ”Breaking things
is easy.” Cleverhans Blog, 2016 [Online]. Available:
http://www.cleverhans.io/security/privacy/ml/2016/12/16/breaking-
things-is-easy.html [Accessed: 15- March- 2020]
[6] Tabacof, Pedro, and Eduardo Valle. ”Exploring the space of adversar-
ial images.” 2016 International Joint Conference on Neural Networks
(IJCNN). IEEE, 2016.
[7] Weilin Xu, David Evans, and Yanjun Qi. Feature squeezing: Detecting
adversarial examples in deep neural networks. CoRR, abs/1704.01155,
2017.
[8] Papernot, Nicolas, et al. ”Distillation as a defense to adversarial perturba-
tions against deep neural networks.” 2016 IEEE Symposium on Security
and Privacy (SP). IEEE, 2016.
[9] Guo, Chuan, et al. ”Countering adversarial images using input transfor-
mations.” arXiv preprint arXiv:1711.00117 (2017).
[10] Madry, Aleksander, et al. ”Towards deep learning models resistant to
adversarial attacks.” arXiv preprint arXiv:1706.06083 (2017).
[11] Leonid Rudin, Stanley Osher, and Emad Fatemi. Nonlinear total varia-
tion based noise removal algorithms. Physica D, 60:259–268, 1992.
[12] Alexei Efros and William Freeman. Image quilting for texture synthesis
and transfer. In Proc. SIGGRAPH, pp. 341–346, 2001.
[13] Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and
harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
[14] Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. Delving
into transferable adversarial examples and black-box attacks. CoRR,
abs/1611.02770, 2016.
[15] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris
Tsipras, and Adrian Vladu. Towards deep learning models resistant to
adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
[16] Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z
Berkay Celik, and Ananthram Swami. The limitations of deep learning
in adversarial settings. In Security and Privacy (EuroS&P), 2016 IEEE
European Symposium on, pages 372–387. IEEE, 2016.
[17] Nicolae, Maria-Irina, et al. ”Adversarial Robustness Toolbox v0. 4.0.”
arXiv preprint arXiv:1807.01069 (2018).
[18] Karen Simonyan, Andrea Vedaldi, and Andrew Zisserman. Deep inside
convolutional networks: Visualising image classification models and
saliency maps. CoRR, abs/1312.6034, 2013.
[19] R. W. Floyd and L. Steinberg, “An Adaptive Algorithm for Spatial
Grayscale,” Proceedings of the Society of Information Display, Vol. 17,
No. 2, 1976, pp. 75-77.
[20] Kite, Thomas D., et al. ”A fast, high-quality inverse halftoning algorithm
for error diffused halftones.” IEEE Transactions on Image Processing 9.9
(2000): 1583-1592.
[21] Siddiqui, Hasib, and Charles A. Bouman. ”Training-based descreening.”
IEEE transactions on image processing 16.3 (2007): 789-802.
[22] Gao, Qifan, Xiao Shu, and Xiaolin Wu. ”Deep Restoration of Vintage
Photographs From Scanned Halftone Prints.” Proceedings of the IEEE
International Conference on Computer Vision. 2019.
[23] Kim, Tae-Hoon, and Sang Il Park. ”Deep context-aware descreening and
rescreening of halftone images.” ACM Transactions on Graphics (TOG)
37.4 (2018): 1-12.
[24] Hou, Xianxu, and Guoping Qiu. ”Image companding and inverse
halftoning using deep convolutional neural networks.” arXiv preprint
arXiv:1707.00116 (2017).
[25] Neelamani, Ramesh, Robert David Nowak, and Richard G. Baraniuk.
”Winhd: Wavelet-based inverse halftoning via deconvolution.” IEEE
Transactions on Image Processing (2002).
[26] Ilyas, Andrew, et al. ”Adversarial examples are not bugs, they are
features.” Advances in Neural Information Processing Systems. 2019.

3504

Authorized licensed use limited to: SOUTHWEST JIAOTONG UNIVERSITY. Downloaded on February 28,2024 at 06:39:32 UTC from IEEE Xplore. Restrictions apply.