pith. sign in

arxiv: 2306.16050 · v2 · submitted 2023-06-28 · 💻 cs.CV · cs.LG· eess.IV

Evaluating Similitude and Robustness of Deep Image Denoising Models via Adversarial Attack

Jie Ning , Jiebao Sun , Yao Li , Zhichang Guo , Wangmeng Zuo This is my paper

Pith reviewed 2026-05-24 07:58 UTC · model grok-4.3

classification 💻 cs.CV cs.LGeess.IV
keywords adversarial attackimage denoisingdeep neural networksrobustness similitudenon-blind denoisingblind denoisingplug-and-play methods
0
0 comments X

The pith

Deep image denoising models from different families share nearly the same adversarial samples, indicating similar local behaviors near test images.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a denoising-PGD attack that fools a wide range of deep denoisers while leaving the noise distribution almost unchanged. It shows that non-blind models such as DnCNN and FFDNet, blind models such as Noise2Noise, plug-and-play methods such as DPIR, and unfolding networks such as DeamNet produce almost identical adversarial samples on both grayscale and color test images. This overlap is taken to mean the models respond similarly in the immediate neighborhood of each test sample. The authors define a robustness similitude score to quantify that local overlap and report high scores among non-blind models and between hybrid-driven and pure data-driven non-blind models. Data-driven non-blind models emerge as the most robust under this measure, while the classical BM3D algorithm resists the attack.

Core claim

Current mainstream non-blind denoising models (DnCNN, FFDNet, ECNDNet, BRDNet), blind denoising models (DnCNN-B, Noise2Noise, RDDCNN-B, FAN), plug-and-play (DPIR, CurvPnP) and unfolding denoising models (DeamNet) almost share the same adversarial sample set on both grayscale and color images, respectively. Shared adversarial sample set indicates that all these models are similar in term of local behaviors at the neighborhood of all the test samples. Non-blind denoising models are found to have high robustness similitude across each other, while hybrid-driven models are also found to have high robustness similitude with pure data-driven non-blind denoising models. Data-driven non-blind models

What carries the argument

The robustness similitude indicator, which quantifies local model similarity by measuring overlap of adversarial samples generated by the denoising-PGD attack.

If this is right

  • Non-blind denoising models exhibit high robustness similitude with one another.
  • Hybrid-driven models show high robustness similitude with pure data-driven non-blind models.
  • Data-driven non-blind models rank as the most robust under the similitude-based assessment.
  • Adversarial training can be applied to reduce vulnerability to the attack.
  • The model-driven BM3D algorithm remains resistant to the proposed attack.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The observed behavioral convergence may allow robustness improvements developed for one model to transfer more readily to others in the same family.
  • The shared-sample phenomenon could be tested on additional image-restoration tasks such as deblurring or super-resolution.
  • Security-sensitive applications might favor classical non-learned methods when adversarial robustness is required.
  • Further experiments could vary the attack strength or noise level to map how the similitude changes with input conditions.

Load-bearing premise

That identical adversarial samples across models imply the models behave similarly in the local neighborhood of test samples.

What would settle it

Run the denoising-PGD attack on a fresh test set and check whether the generated adversarial images differ substantially across the listed model families.

Figures

Figures reproduced from arXiv: 2306.16050 by Jiebao Sun, Jie Ning, Wangmeng Zuo, Yao Li, Zhichang Guo.

Figure 1
Figure 1. Figure 1: The performance of DnCNN decreases under adversarial attack. [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The flowchart of image denoising adversarial attack method. By [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Radar diagram of the distribution of the adversarial space and [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Adversarial regions of the DnCNN model under denoising-PGD attack [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: A linear combination of two arbitrary adversarial samples, where the [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 5
Figure 5. Figure 5: Adversarial regions of various models under adversarial samples [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: The denoising-PGD adversarial attack effect (house). [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Transferability of adversarial samples generated by DnCNN to various [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Effect of denoising-PGD on color RGB images (butterfly). [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: Denoising effect of the adversarial training model and the original [PITH_FULL_IMAGE:figures/full_fig_p010_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Demonstration of the effect of generating adversarial samples based [PITH_FULL_IMAGE:figures/full_fig_p010_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Effectiveness of BM3D under image denoising adversarial attacks, [PITH_FULL_IMAGE:figures/full_fig_p011_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Visual comparison of the noise distribution of the adversarial samples [PITH_FULL_IMAGE:figures/full_fig_p012_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: The effect diagram of the image denoising adversarial attack (a) [PITH_FULL_IMAGE:figures/full_fig_p012_15.png] view at source ↗
read the original abstract

Deep neural networks (DNNs) have shown superior performance comparing to traditional image denoising algorithms. However, DNNs are inevitably vulnerable while facing adversarial attacks. In this paper, we propose an adversarial attack method named denoising-PGD which can successfully attack all the current deep denoising models while keep the noise distribution almost unchanged. We surprisingly find that the current mainstream non-blind denoising models (DnCNN, FFDNet, ECNDNet, BRDNet), blind denoising models (DnCNN-B, Noise2Noise, RDDCNN-B, FAN), plug-and-play (DPIR, CurvPnP) and unfolding denoising models (DeamNet) almost share the same adversarial sample set on both grayscale and color images, respectively. Shared adversarial sample set indicates that all these models are similar in term of local behaviors at the neighborhood of all the test samples. Thus, we further propose an indicator to measure the local similarity of models, called robustness similitude. Non-blind denoising models are found to have high robustness similitude across each other, while hybrid-driven models are also found to have high robustness similitude with pure data-driven non-blind denoising models. According to our robustness assessment, data-driven non-blind denoising models are the most robust. We use adversarial training to complement the vulnerability to adversarial attacks. Moreover, the model-driven image denoising BM3D shows resistance on adversarial attacks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The paper proposes a joint denoising-PGD adversarial attack that succeeds against a range of deep image denoising models (non-blind: DnCNN, FFDNet, ECNDNet, BRDNet; blind: DnCNN-B, Noise2Noise, RDDCNN-B, FAN; plug-and-play: DPIR, CurvPnP; unfolding: DeamNet) while keeping the added noise distribution nearly unchanged. It reports that these models share nearly identical adversarial sample sets on grayscale and color images, interprets this as evidence of similar local behaviors near test samples, and introduces a 'robustness similitude' metric to quantify such similarity. The authors conclude that data-driven non-blind models exhibit the highest robustness similitude and overall robustness, recommend adversarial training to address vulnerabilities, and note that the model-driven BM3D method resists the attacks.

Significance. If the shared adversarial samples reflect intrinsic model similarity rather than an artifact of the joint attack optimization, the robustness similitude metric could provide a useful new tool for comparing denoising architectures and assessing robustness. The empirical scope across multiple model categories and the inclusion of adversarial training plus BM3D comparison add practical relevance. However, the absence of implementation details, statistical validation, and controls for attack-induced commonality in the provided text limits the strength of these implications.

major comments (3)
  1. [Abstract] Abstract: The central claim that the listed models 'almost share the same adversarial sample set' is load-bearing for the robustness similitude metric and the conclusion that non-blind models are most robust, yet no quantitative measure of overlap (e.g., fraction of identical samples, Jaccard index), statistical test, or variance across runs is supplied. This prevents assessment of whether the observed sharing exceeds what would be expected by chance or attack construction.
  2. [Abstract] Abstract (paragraph beginning 'Shared adversarial sample set indicates...'): The interpretation that shared samples demonstrate similar local behaviors assumes the joint denoising-PGD optimization does not itself enforce commonality across models. No comparison to independent per-model PGD attacks is described, leaving open that the shared set is imposed by the joint success constraint rather than intrinsic gradient or loss-landscape similarity; this directly undermines the validity of the proposed similitude indicator.
  3. [Abstract] Abstract: The attack is stated to 'keep the noise distribution almost unchanged,' but no metric, distance measure, or verification procedure for this property is given, nor are dataset details, image counts, or noise levels specified. These omissions make it impossible to evaluate whether the attack succeeds on its own stated terms or whether the similitude findings are reproducible.
minor comments (1)
  1. [Abstract] Abstract contains minor grammatical issues ('comparing to' should be 'compared to'; 'in term of' should be 'in terms of') that affect readability but do not impact technical content.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on the abstract and the implications of our claims. We address each major comment below and will incorporate revisions to strengthen the quantitative support, controls, and reproducibility details.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that the listed models 'almost share the same adversarial sample set' is load-bearing for the robustness similitude metric and the conclusion that non-blind models are most robust, yet no quantitative measure of overlap (e.g., fraction of identical samples, Jaccard index), statistical test, or variance across runs is supplied. This prevents assessment of whether the observed sharing exceeds what would be expected by chance or attack construction.

    Authors: We agree that explicit quantitative measures are required to substantiate the overlap claim. In the revised manuscript we will report the Jaccard index and fraction of identical adversarial samples between each pair of models, include a statistical test against a null model of random overlap, and report variance across independent runs of the attack to confirm the sharing is not attributable to chance or attack construction. revision: yes

  2. Referee: [Abstract] Abstract (paragraph beginning 'Shared adversarial sample set indicates...'): The interpretation that shared samples demonstrate similar local behaviors assumes the joint denoising-PGD optimization does not itself enforce commonality across models. No comparison to independent per-model PGD attacks is described, leaving open that the shared set is imposed by the joint success constraint rather than intrinsic gradient or loss-landscape similarity; this directly undermines the validity of the proposed similitude indicator.

    Authors: This concern is valid and directly affects the interpretation of the similitude metric. We will add a control experiment that runs independent PGD attacks on each model separately and compares the resulting overlap to the overlap obtained under the joint attack. The revised text will present both results side-by-side so readers can assess whether the observed commonality exceeds what the joint optimization alone would produce. revision: yes

  3. Referee: [Abstract] Abstract: The attack is stated to 'keep the noise distribution almost unchanged,' but no metric, distance measure, or verification procedure for this property is given, nor are dataset details, image counts, or noise levels specified. These omissions make it impossible to evaluate whether the attack succeeds on its own stated terms or whether the similitude findings are reproducible.

    Authors: We acknowledge these omissions limit reproducibility. The revised manuscript will specify the distance measure (e.g., KL divergence between noise histograms) used to verify that the added noise distribution remains nearly unchanged, together with the exact datasets, number of images, and noise levels employed in all experiments. revision: yes

Circularity Check

0 steps flagged

No circularity: claims rest on experimental attack outcomes without reduction to inputs or self-citations

full rationale

The paper introduces denoising-PGD as an attack method, applies it experimentally to multiple models, observes shared adversarial samples, and defines robustness similitude as a new indicator based on those observations. No equations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the provided text. The derivation chain consists of empirical results that remain falsifiable through the attack procedure rather than any self-definitional equivalence or imported uniqueness theorem. This matches the default case of a non-circular experimental paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Work is purely empirical; no free parameters, axioms, or invented entities are stated in the abstract.

pith-pipeline@v0.9.0 · 5794 in / 1035 out tokens · 28642 ms · 2026-05-24T07:58:54.852487+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages · 1 internal anchor

  1. [1]

    Nonlinear total variation based noise removal algorithms,

    L. I. Rudin, S. Osher, and E. Fatemi, “Nonlinear total variation based noise removal algorithms,” Physica D Nonlinear Phenomena , vol. 60, no. 1-4, pp. 259–268, 1992. I

    work page 1992

  2. [2]

    Scale-space and edge detection using anisotropic diffusion,

    P. Perona and J. Malik, “Scale-space and edge detection using anisotropic diffusion,” IEEE Transactions on Pattern Analysis and Machine Intelligence, no. 7, 1990. I

    work page 1990

  3. [3]

    Image denoising by sparse 3-d transform-domain collaborative filtering,

    K. Dabov, A. Foi, V . Katkovnik, and K. Egiazarian, “Image denoising by sparse 3-d transform-domain collaborative filtering,” IEEE Trans Image Process, vol. 16, no. 8, pp. 2080–95, 2007. [Online]. Available: https://www.ncbi.nlm.nih.gov/pubmed/17688213 I

    work page arXiv 2080

  4. [4]

    Beyond a gaussian denoiser: Residual learning of deep cnn for image denoising,

    Z. Kai, W. Zuo, Y . Chen, D. Meng, and Z. Lei, “Beyond a gaussian denoiser: Residual learning of deep cnn for image denoising,” pp. 3142– 3155, 2016. I, II-A, II-B

    work page 2016

  5. [5]

    Ffdnet: Toward a fast and flexible solution for cnn-based image denoising,

    K. Zhang, W. Zuo, and L. Zhang, “Ffdnet: Toward a fast and flexible solution for cnn-based image denoising,” IEEE Transactions on Image Processing, vol. 27, no. 9, pp. 4608–4622, 2018. I, II-A

    work page 2018

  6. [6]

    Enhanced CNN for image denoising,

    C. Tian, Y . Xu, L. Fei, J. Wang, J. Wen, and N. Luo, “Enhanced CNN for image denoising,” CAAI Transactions on Intelligence Technology , vol. 4, no. 1, pp. 17–23, mar 2019. I, II-A

    work page 2019

  7. [7]

    Image denoising using deep cnn with batch renormalization,

    C. Tian, Y . xu, and W. Zuo, “Image denoising using deep cnn with batch renormalization,” Neural Networks, vol. 121, pp. 461–473, 01 2020. I, II-A

    work page 2020

  8. [8]

    Noise2Noise: Learning Image Restoration without Clean Data

    J. Lehtinen, J. Munkberg, J. Hasselgren, S. Laine, T. Karras, M. Aittala, and T. Aila, “Noise2noise: Learning image restoration without clean data,” CoRR, vol. abs/1803.04189, 2018. I, II-B

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  9. [9]

    A robust deformed convolutional neural network (cnn) for image denoising,

    Q. Zhang, J. Xiao, C. Tian, C.-W. Lin, and S. Zhang, “A robust deformed convolutional neural network (cnn) for image denoising,” CAAI Transactions on Intelligence Technology , pp. n/a–n/a, 06 2022. I, II-B

    work page 2022

  10. [10]

    Frequency attention network: Blind noise removal for real images,

    H. Mo, J. Jiang, Q. Wang, D. Yin, P. Dong, and J. Tian, “Frequency attention network: Blind noise removal for real images,” in Computer Vision – ACCV 2020, H. Ishikawa, C.-L. Liu, T. Pajdla, and J. Shi, Eds. Cham: Springer International Publishing, 2021, pp. 168–184. I, II-B

    work page 2020

  11. [11]

    Plug-and-play priors for model based reconstruction,

    S. V . Venkatakrishnan, C. A. Bouman, and B. Wohlberg, “Plug-and-play priors for model based reconstruction,” in 2013 IEEE Global Conference on Signal and Information Processing , 2013, pp. 945–948. I

    work page 2013

  12. [12]

    Learning deep cnn denoiser prior for image restoration,

    Z. Kai, W. Zuo, S. Gu, and Z. Lei, “Learning deep cnn denoiser prior for image restoration,” IEEE, 2017. I

    work page 2017

  13. [13]

    Learning proximal operators: Using denoising networks for regularizing inverse imaging problems,

    T. Meinhardt, M. Moeller, C. Hazirbas, and D. Cremers, “Learning proximal operators: Using denoising networks for regularizing inverse imaging problems,” IEEE Computer Society , 2017. I JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST PLUG2023 13

    work page 2017

  14. [14]

    Plug- and-play image restoration with deep denoiser prior,

    K. Zhang, Y . Li, W. Zuo, L. Zhang, L. Van Gool, and R. Timofte, “Plug- and-play image restoration with deep denoiser prior,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 10, pp. 6360– 6376, 2022. I, II-C

    work page 2022

  15. [15]

    Curvpnp: Plug-and-play blind image restoration with deep curvature denoiser,

    Y . Li and Y . Duan, “Curvpnp: Plug-and-play blind image restoration with deep curvature denoiser,” 2022. I, II-C

    work page 2022

  16. [16]

    Adaptive consistency prior based deep network for image denoising,

    C. Ren, X. He, C. Wang, and Z. Zhao, “Adaptive consistency prior based deep network for image denoising,” in 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) , 2021, pp. 8592–

    work page 2021

  17. [17]

    Intriguing properties of neural networks,

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” 2014. I

    work page 2014

  18. [18]

    Explaining and harnessing adversarial examples,

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2015. I, II-D

    work page 2015

  19. [19]

    Deepfool: A simple and accurate method to fool deep neural networks,

    S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple and accurate method to fool deep neural networks,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2016, pp. 2574–2582. I

    work page 2016

  20. [20]

    One pixel attack for fooling deep neural networks,

    J. Su, D. V . Vargas, and K. Sakurai, “One pixel attack for fooling deep neural networks,” IEEE Transactions on Evolutionary Computation , vol. 23, no. 5, pp. 828–841, 2019. I

    work page 2019

  21. [21]

    Spark: Spatial-aware online incremental attack against visual tracking,

    Q. Guo, X. Xie, F. Juefei-Xu, L. Ma, Z. Li, W. Xue, W. Feng, and Y . Liu, “Spark: Spatial-aware online incremental attack against visual tracking,” 2020. I

    work page 2020

  22. [22]

    M. F. A. Hady and F. Schwenker, Semi-supervised Learning . Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 215–239. I

    work page 2013

  23. [23]

    The space of transferable adversarial examples,

    F. Tram `er, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “The space of transferable adversarial examples,” 2017. I

    work page 2017

  24. [24]

    Universal adversarial perturbations,

    S. M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Universal adversarial perturbations,” in2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2017. I

    work page 2017

  25. [25]

    Delving into transferable adversarial examples and black-box attacks,

    Y . Liu, X. Chen, C. Liu, and D. Song, “Delving into transferable adversarial examples and black-box attacks,” 2017. I

    work page 2017

  26. [26]

    Evolving architectures with gradient misalignment toward low adversarial transferability,

    K. R. G. Operiano, W. Pora, H. Iba, and H. Kera, “Evolving architectures with gradient misalignment toward low adversarial transferability,”IEEE Access, vol. 9, pp. 164 379–164 393, 2021. I

    work page 2021

  27. [27]

    Transferability in ma- chine learning: from phenomena to black-box attacks using adversarial samples,

    N. Papernot, P. McDaniel, and I. Goodfellow, “Transferability in ma- chine learning: from phenomena to black-box attacks using adversarial samples,” 2016. I

    work page 2016

  28. [28]

    Disrupting adversarial transferability in deep neural networks,

    C. Wiedeman and G. Wang, “Disrupting adversarial transferability in deep neural networks,” Patterns, vol. 3, no. 5, p. 100472, 2022. I

    work page 2022

  29. [29]

    Deep neural networks are easily fooled: High confidence predictions for unrecognizable images,

    A. Nguyen, J. Yosinski, and J. Clune, “Deep neural networks are easily fooled: High confidence predictions for unrecognizable images,” in 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2015, pp. 427–436. I

    work page 2015

  30. [30]

    Evasion attacks against machine learning at test time,

    B. Biggio, I. Corona, D. Maiorca, B. Nelson, Nedim, P. Laskov, G. Giacinto, and F. Roli, “Evasion attacks against machine learning at test time,” in Advanced Information Systems Engineering . Springer Berlin Heidelberg, 2013, pp. 387–402. I

    work page 2013

  31. [31]

    Regulariz- ing deep networks using efficient layerwise adversarial training,

    S. Sankaranarayanan, A. Jain, R. Chellappa, and S. N. Lim, “Regulariz- ing deep networks using efficient layerwise adversarial training,” 2018. I

    work page 2018

  32. [32]

    Defense against adversarial attacks using high-level representation guided denoiser,

    F. Liao, M. Liang, Y . Dong, T. Pang, X. Hu, and J. Zhu, “Defense against adversarial attacks using high-level representation guided denoiser,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recogni- tion, 2018, pp. 1778–1787. I

    work page 2018

  33. [33]

    Distillation as a defense to adversarial perturbations against deep neural networks,

    N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in 2016 IEEE Symposium on Security and Privacy (SP) , 2016, pp. 582–

    work page 2016

  34. [34]

    Pasadena: Perceptually aware and stealthy adversarial denoise attack,

    Y . Cheng, Q. Guo, F. Juefei-Xu, W. Feng, S.-W. Lin, W. Lin, and Y . Liu, “Pasadena: Perceptually aware and stealthy adversarial denoise attack,”

    work page

  35. [35]

    Solving inverse problems with deep neural networks – robustness included?

    M. Genzel, J. Macdonald, and M. M ¨arz, “Solving inverse problems with deep neural networks – robustness included?” IEEE Transactions on Pattern Analysis and Machine Intelligence , vol. 45, no. 1, pp. 1119– 1134, 2023. I

    work page 2023

  36. [36]

    Adversarial examples in the physical world,

    A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” 2017. II-D

    work page 2017

  37. [37]

    Towards deep learning models resistant to adversarial attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” 2019. II-D, II-D

    work page 2019

  38. [38]

    Nesterov accelerated gradient and scale invariance for adversarial attacks,

    J. Lin, C. Song, K. He, L. Wang, and J. E. Hopcroft, “Nesterov accelerated gradient and scale invariance for adversarial attacks,” 2020. II-D

    work page 2020

  39. [39]

    Towards adversarially robust deep image denoising,

    H. Yan, J. Zhang, J. Feng, M. Sugiyama, and V . Y . F. Tan, “Towards adversarially robust deep image denoising,” 2022. II-D

    work page 2022

  40. [40]

    Scene categorization towards urban tunnel traffic by image quality assessment,

    H. Zhou and S. Zhou, “Scene categorization towards urban tunnel traffic by image quality assessment,” Journal of Visual Communication and Image Representation, vol. 65, p. 102655, 2019. IV JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST PLUG2023 14 VII. B IOGRAPHY SECTION Jie Ning Jie Ning received the B.S. degree in information and computing science...

    work page 2019