Manifold-Constrained Adversarial Training for Long-Tailed Robustness via Geometric Alignment

Guanmeng Xian; Ning Yang; Philip S. Yu

arxiv: 2605.02183 · v1 · submitted 2026-05-04 · 💻 cs.LG

Manifold-Constrained Adversarial Training for Long-Tailed Robustness via Geometric Alignment

Guanmeng Xian , Ning Yang , Philip S. Yu This is my paper

Pith reviewed 2026-05-08 18:56 UTC · model grok-4.3

classification 💻 cs.LG

keywords adversarial traininglong-tailed distributionsmanifold constraintgeometric alignmentrobust marginstail class robustnessfeature space regularization

0 comments

The pith

Manifold-constrained adversarial training aligns examples to class manifolds to improve robustness on long-tailed data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Manifold-Constrained Adversarial Training to address how standard adversarial training loses effectiveness when class distributions are long-tailed, leaving tail classes with high robust error and unstable boundaries. It adds a penalty that keeps adversarial examples close to each class's feature-space manifold so they stay semantically valid, plus an equiangular tight frame inspired term that separates classes evenly. Theory connects this separation to lower bounds on robust margins and shows the constrained risk upper-bounds true robust risk inside dense semantic regions. A reader would care because real datasets are rarely balanced and safety-critical applications need reliable defense across all classes, not just the common ones.

Core claim

Manifold-Constrained Adversarial Training (MCAT) enforces the semantic validity of adversarial examples by penalizing deviations from class-conditional manifolds in feature space, while promoting balanced geometric separation across classes via an ETF-inspired regularization. Theoretical results link geometric separation to lower bounds on adversarially robust margins, and show that manifold-constrained adversarial risk upperbounds robust risk on high-density semantic regions.

What carries the argument

The MCAT framework, which combines a penalty on deviations from estimated class-conditional manifolds in feature space with ETF-inspired regularization to keep adversarial examples semantically valid while enforcing balanced geometric separation.

If this is right

Tail classes receive larger robust margins because balanced geometric separation is explicitly encouraged during training.
On high-density regions the manifold-constrained risk serves as a practical upper bound for the true robust risk.
Overall, balanced, and tail-class adversarial robustness all improve simultaneously on standard long-tailed benchmarks.
Decision boundaries become more stable for underrepresented classes without requiring extra data balancing steps.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same manifold penalty might stabilize training in other imbalanced settings such as open-set recognition or domain adaptation.
If manifold estimates are noisy, the method could be combined with manifold learning techniques to first improve the estimates.
The ETF regularization term could be tested independently in non-adversarial long-tailed classification to isolate its contribution to margin size.
Extensions to semi-supervised or self-supervised robustness would check whether the geometric alignment still holds when labels are scarce.

Load-bearing premise

That penalizing deviations from estimated class-conditional manifolds will reliably enforce semantic validity of adversarial examples and produce the claimed lower bounds on robust margins without introducing new instabilities.

What would settle it

An experiment or calculation demonstrating that adversarial examples under MCAT still fall outside the true class manifolds or that measured geometric separation fails to produce the predicted increase in robust margins.

Figures

Figures reproduced from arXiv: 2605.02183 by Guanmeng Xian, Ning Yang, Philip S. Yu.

**Figure 1.** Figure 1: Adversarial training under long-tailed data in fea view at source ↗

**Figure 2.** Figure 2: Overview of MCAT for long-tailed adversarial robustness. Left: Under long-tailed data, standard adversarial training exhibits (i) off-manifold adversarial drift and (ii) geometric margin collapse for tail classes. Middle: MCAT couples two mechanisms: a class-conditional manifold distance penalty in feature space and an ETF-inspired geometric alignment of classifier weights. Right: Manifold-Constrained PGD… view at source ↗

**Figure 3.** Figure 3: Adversarial robustness under increasing imbalance view at source ↗

**Figure 4.** Figure 4: Sensitivity analysis of MCAT hyperparameters view at source ↗

**Figure 6.** Figure 6: Off-manifold adversarial drift on CIFAR-100-LT view at source ↗

**Figure 7.** Figure 7: Theory-aligned empirical evidence on CIFAR-100-LT (IR=100). (a) Larger minimum inter-class angle θmin correlates with stronger tail robustness. (b) MCAT shifts the tail-class distribution of the sample-wise robustness proxy rˆ(x) toward larger values. (c) Increasing the manifold constraint weight λ jointly suppresses off-manifold drift and improves robust accuracy. 5.6 RQ4: Mechanism Verification and The… view at source ↗

**Figure 8.** Figure 8: Case study on CIFAR-100-LT (IR=100) show view at source ↗

**Figure 9.** Figure 9: Robust accuracy over all classes under AutoAttack view at source ↗

**Figure 10.** Figure 10: Manifold stability and geometric alignment trade view at source ↗

read the original abstract

Adversarial training is effective on balanced datasets, but its robustness degrades under longtailed class distributions, where tail classes suffer high robust error and unstable decision boundaries. We propose Manifold-Constrained Adversarial Training (MCAT), a unified framework that enforces the semantic validity of adversarial examples by penalizing deviations from class-conditional manifolds in feature space, while promoting balanced geometric separation across classes via an ETF-inspired regularization. We provide theoretical results that link geometric separation to lower bounds on adversarially robust margins, and show that manifold-constrained adversarial risk upperbounds robust risk on high-density semantic regions. Extensive experiments on standard longtailed benchmarks demonstrate consistent improvements in overall, balanced, and tail-class adversarial robustness.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

MCAT adds manifold penalties and ETF regularization to adversarial training for long-tailed data, but the theory hinges on noisy tail manifold estimates that likely weaken the claimed bounds.

read the letter

The main thing to know is that this paper targets the practical failure of adversarial training on imbalanced data by adding a penalty that keeps adversarial examples close to estimated class manifolds in feature space, plus an ETF-inspired term to encourage balanced separation. It reports gains on standard long-tailed benchmarks for overall, balanced, and especially tail-class robust accuracy. That combination is not entirely new in pieces, but the specific pairing for this setting is the fresh angle, and the experiments appear to show consistent improvements where prior methods drop off on tails. Credit to the authors for focusing on a deployment-relevant gap rather than balanced datasets only. The empirical side looks like the stronger part here. The soft spots are in the theory and the manifold step. The abstract states that manifold-constrained risk upper-bounds robust risk on high-density regions and that geometric separation supplies lower bounds on margins, yet no derivation, assumptions, or controls are visible. More critically, the stress-test point lands: tail classes have very few samples, so any practical manifold estimate (prototype, covariance, or otherwise) will have high variance. If that estimate is off, the penalty either fails to block invalid directions or over-constrains valid ones, which undercuts the upper-bound relation the theory needs. The ETF term operates on centers and does not rescue the local tail geometry. Without seeing the full proofs or the exact manifold estimator used, it is hard to judge whether the bounds are substantive or mostly restate the regularization. The work is aimed at researchers handling robust models under real-world imbalance. A reader looking for practical methods with some empirical backing would find value in the framework and results, even if the theory needs more scrutiny. It is coherent enough on its own terms to deserve a serious referee rather than a desk reject, though any review should press hard on the manifold estimation reliability and whether the improvements hold under varied tail ratios or different manifold fitting choices.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes Manifold-Constrained Adversarial Training (MCAT) to improve adversarial robustness on long-tailed datasets. MCAT penalizes deviations from class-conditional manifolds in feature space to enforce semantic validity of adversarial examples and incorporates an ETF-inspired regularization term to promote balanced geometric separation across classes. It claims theoretical results linking geometric separation to lower bounds on adversarially robust margins and showing that manifold-constrained adversarial risk upper-bounds robust risk on high-density semantic regions. Experiments on standard long-tailed benchmarks are reported to yield consistent gains in overall, balanced, and tail-class adversarial robustness.

Significance. If the theoretical upper-bound relation holds under realistic manifold estimation and the ETF term delivers non-vacuous margin lower bounds, the work would address a practically important gap in adversarial training for imbalanced data. The geometric-alignment perspective is conceptually appealing and could influence future robust-learning methods that must handle tail classes. The experimental improvements, if supported by proper controls and ablations, would provide useful empirical evidence. The significance is reduced by the absence of visible derivation details and by the load-bearing dependence on stable manifold estimates from scarce tail samples.

major comments (2)

[Theoretical results section] Theoretical results section: the claim that manifold-constrained adversarial risk upper-bounds robust risk on high-density semantic regions is load-bearing for the central contribution, yet it presupposes that class-conditional manifolds can be estimated reliably enough for the penalty to exclude semantically invalid directions without suppressing valid ones. In long-tailed regimes the tail-class feature clouds rest on very few points; any practical estimator will have high variance, which risks either vacuous or overly restrictive constraints and thereby breaks the asserted upper-bound relation. A sensitivity analysis to manifold estimation error or explicit assumptions on the estimator (e.g., prototype, low-rank, or density-based) is required.
[Method and theoretical analysis] Method and theoretical analysis: the ETF-inspired regularization is stated to supply lower bounds on adversarially robust margins via geometric separation, but without the explicit regularization term, the theorem statement, or the derivation steps it is impossible to verify whether the bound is independent of the manifold penalty or reduces to a fitted quantity. This circularity risk directly affects the claim that the combined framework yields theoretically grounded robustness improvements.

minor comments (2)

[Experiments section] Experiments section: include ablations that isolate the manifold penalty from the ETF term and report tail-class sample sizes alongside robust accuracy to allow assessment of whether gains are driven by the proposed constraints or by other factors.
[Notation and method description] Notation and method description: explicitly define how class-conditional manifolds are estimated (e.g., via learned prototypes, covariance, or auto-encoder reconstruction) and state the precise form of the manifold penalty term.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which identify key areas where additional rigor will strengthen the theoretical contributions. We address each major comment below and will incorporate the requested clarifications and analyses in the revised manuscript.

read point-by-point responses

Referee: Theoretical results section: the claim that manifold-constrained adversarial risk upper-bounds robust risk on high-density semantic regions is load-bearing for the central contribution, yet it presupposes that class-conditional manifolds can be estimated reliably enough for the penalty to exclude semantically invalid directions without suppressing valid ones. In long-tailed regimes the tail-class feature clouds rest on very few points; any practical estimator will have high variance, which risks either vacuous or overly restrictive constraints and thereby breaks the asserted upper-bound relation. A sensitivity analysis to manifold estimation error or explicit assumptions on the estimator (e.g., prototype, low-rank, or density-based) is required.

Authors: We concur that the upper-bound relation depends critically on the quality of manifold estimation, which is particularly delicate for tail classes with scarce samples. To address this, we will revise the theoretical results section to state explicit assumptions on the estimator (including bounded estimation error for prototype-based or low-rank approximations) and add a sensitivity analysis subsection. This analysis will quantify the effect of manifold estimation variance on the upper-bound, using both theoretical error propagation and controlled empirical perturbations on tail-class features. These additions will clarify the conditions under which the bound remains valid. revision: yes
Referee: Method and theoretical analysis: the ETF-inspired regularization is stated to supply lower bounds on adversarially robust margins via geometric separation, but without the explicit regularization term, the theorem statement, or the derivation steps it is impossible to verify whether the bound is independent of the manifold penalty or reduces to a fitted quantity. This circularity risk directly affects the claim that the combined framework yields theoretically grounded robustness improvements.

Authors: We appreciate the need for full transparency on the regularization and its theoretical consequences. In the revised manuscript we will insert the explicit mathematical expression for the ETF-inspired regularization term into the method section. We will also provide the complete theorem statement together with its full derivation in a dedicated appendix. The derivation proceeds from the geometric separation properties alone and establishes the margin lower bound independently of the manifold penalty term, thereby removing any risk of circularity. revision: yes

Circularity Check

0 steps flagged

No circularity: theoretical links presented as independent derivations without reduction to fitted quantities or self-citations

full rationale

The abstract states that MCAT provides theoretical results linking geometric separation to lower bounds on adversarially robust margins and that manifold-constrained adversarial risk upper-bounds robust risk on high-density regions. No equations, self-citations, or fitted-parameter renamings are visible in the provided text. The ETF-inspired term is described as regularization rather than a self-derived prediction. The derivation chain therefore remains self-contained against external benchmarks and does not reduce by construction to its inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no explicit free parameters, axioms, or invented entities can be extracted. Manifold estimation and ETF construction are implicit but not detailed.

pith-pipeline@v0.9.0 · 5420 in / 1079 out tokens · 67110 ms · 2026-05-08T18:56:28.854108+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

Foundation/BranchSelection.lean RCLCombiner_isCoupling_iff unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

regularize classifier weights W toward a simplex Equiangular Tight Frame (ETF) structure by penalizing deviations of the Gram matrix: R_geom(Θ) = ‖W⊤W − αI − β11⊤‖²_F
Foundation/AlphaCoordinateFixation.lean alpha_pin_under_high_calibration unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Theorem 1 (Robust Margin from Geometric Separation): If ϵ < sin(θ_min/2)/L, then the predicted label of x remains invariant to all perturbations in B_ϵ(x).
Cost/FunctionalEquation.lean (J = ½(x+x⁻¹)−1) washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

MCAT consists of two complementary components ... manifold penalty weight λ ... geometric alignment weight β

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

[1]

Cuda: Curriculum of data augmentation for long-tailed recognition

[Ahnet al., 2023 ] Sumyeong Ahn, Jongwoo Ko, and Se- Young Yun. Cuda: Curriculum of data augmentation for long-tailed recognition. InThe Eleventh International Conference on Learning Representations,

work page 2023
[2]

Prevalence of simplex compression in adversarially robust neural networks

[Caoet al., 2025 ] Yang Cao, Yanbo Chen, and Weiwei Liu. Prevalence of simplex compression in adversarially robust neural networks. InProceedings of the National Academy of Sciences,

work page 2025
[3]

Long-tailed adversarial training with self- distillation

[Choet al., 2025 ] Seungju Cho, Hongsin Lee, and Chang- ick Kim. Long-tailed adversarial training with self- distillation. InThe Thirteenth International Conference on Learning Representations,

work page 2025
[4]

Global and local mix- ture consistency cumulative learning for long-tailed visual recognitions

[Duet al., 2023 ] Fei Du, Peng Yang, Qi Jia, Fengtao Nan, Xiaoting Chen, and Yun Yang. Global and local mix- ture consistency cumulative learning for long-tailed visual recognitions. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 15814– 15823,

work page 2023
[5]

Fedtail: Federated long-tailed domain generalization with sharpness-guided gradient matching.arXiv preprint arXiv:2506.08518,

[Guptaet al., 2025 ] Sunny Gupta, Nikita Jangid, Shounak Das, and Amit Sethi. Fedtail: Federated long-tailed domain generalization with sharpness-guided gradient matching.arXiv preprint arXiv:2506.08518,

work page arXiv 2025
[6]

Las-at: adversarial training with learnable attack strategy

[Jiaet al., 2022 ] Xiaojun Jia, Yong Zhang, Baoyuan Wu, Ke Ma, Jue Wang, and Xiaochun Cao. Las-at: adversarial training with learnable attack strategy. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 13398–13408,

work page 2022
[7]

arXiv preprint arXiv:2206.04041 , year=

[Kothapalli, 2022] Vignesh Kothapalli. Neural collapse: A review on modelling principles and generalization.arXiv preprint arXiv:2206.04041,

work page arXiv 2022
[8]

Comparative study of adversarial training methods for long-tailed classification

[Liet al., 2021 ] Xiangxian Li, Haokai Ma, Lei Meng, and Xiangxu Meng. Comparative study of adversarial training methods for long-tailed classification. InProceedings of the 1st International Workshop on Adversarial Learning for Multimedia, pages 1–7,

work page 2021
[9]

Alleviating the effect of data imbalance on ad- versarial training

[Liet al., 2023 ] Guanlin Li, Guowen Xu, and Tianwei Zhang. Alleviating the effect of data imbalance on ad- versarial training. InAdvances in Neural Information Pro- cessing Systems,

work page 2023
[10]

Enhancing the adversarial robustness via manifold projec- tion

[Liet al., 2025 ] Zhiting Li, Shibai Yin, Tai-Xiang Jiang, Yexun Hu, Jia-Mian Wu, Guowei Yang, and Guisong Liu. Enhancing the adversarial robustness via manifold projec- tion. InProceedings of the AAAI Conference on Artificial Intelligence, pages 451–459,

work page 2025
[11]

Breadcrumbs: Adversarial class-balanced sampling for long-tailed recognition

[Liuet al., 2022 ] Bo Liu, Haoxiang Li, Hao Kang, Gang Hua, and Nuno Vasconcelos. Breadcrumbs: Adversarial class-balanced sampling for long-tailed recognition. In European conference on computer vision, pages 637–653,

work page 2022
[12]

[Papyanet al., 2020 ] Vardan Papyan, X. Y . Han, and David L. Donoho. Prevalence of neural collapse during the terminal phase of deep learning training.Proceedings of the National Academy of Sciences,

work page 2020
[13]

Balanced meta-softmax for long- tailed visual recognition.Advances in neural information processing systems, 33:4175–4186,

[Renet al., 2020 ] Jiawei Ren, Cunjun Yu, Xiao Ma, Haiyu Zhao, Shuai Yi, et al. Balanced meta-softmax for long- tailed visual recognition.Advances in neural information processing systems, 33:4175–4186,

work page 2020
[14]

Geometrically regularized transfer learning with on-manifold and off-manifold perturbation.arXiv preprint arXiv:2505.15191,

[Satouet al., 2025 ] Hana Satou, Alan Mitkiy, Emma Collins, and Finn Kingston. Geometrically regularized transfer learning with on-manifold and off-manifold perturbation.arXiv preprint arXiv:2505.15191,

work page arXiv 2025
[15]

Diffult: Diffusion for long-tailed recognition without external knowledge

[Shaoet al., 2024 ] Jie Shao, Ke Zhu, Hanxiao Zhang, and Jianxin Wu. Diffult: Diffusion for long-tailed recognition without external knowledge. InAdvances in Neural Infor- mation Processing Systems,

work page 2024
[16]

Rethinking classifier re-training in long-tailed recognition: Label over-smooth can balance

[Sunet al., 2025 ] Siyu Sun, Han Lu, Jiangtong Li, Yichen Xie, Tianjiao Li, Xiaokang Yang, Liqing Zhang, and Junchi Yan. Rethinking classifier re-training in long-tailed recognition: Label over-smooth can balance. InInterna- tional Conference on Learning Representations,

work page 2025
[17]

Improv- ing adversarial robustness requires revisiting misclassified examples

[Wanget al., 2020 ] Yisen Wang, Difan Zou, Jinfeng Yi, James Bailey, Xingjun Ma, and Quanquan Gu. Improv- ing adversarial robustness requires revisiting misclassified examples. InInternational conference on learning repre- sentations,

work page 2020
[18]

Adversarial weight perturbation helps robust gener- alization.Advances in neural information processing sys- tems, 33:2958–2969,

[Wuet al., 2020 ] Dongxian Wu, Shu-Tao Xia, and Yisen Wang. Adversarial weight perturbation helps robust gener- alization.Advances in neural information processing sys- tems, 33:2958–2969,

work page 2020
[19]

Adversarial robustness under long-tailed distribution

[Wuet al., 2021 ] Tong Wu, Ziwei Liu, Qingqiu Huang, Yu Wang, and Dahua Lin. Adversarial robustness under long-tailed distribution. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 8659–8668,

work page 2021
[20]

Towards calibrated model for long-tailed visual recognition from prior perspective.Advances in Neural Information Processing Systems, 34:7139–7152,

[Xuet al., 2021 ] Zhengzhuo Xu, Zenghao Chai, and Chun Yuan. Towards calibrated model for long-tailed visual recognition from prior perspective.Advances in Neural Information Processing Systems, 34:7139–7152,

work page 2021
[21]

Geom- etry of long-tailed representation learning: Rebalancing features for skewed distributions

[Yiet al., 2025 ] Lingjie Yi, Michael Yao, Weimin Lyu, Haibin Ling, Raphael Douady, and Chao Chen. Geom- etry of long-tailed representation learning: Rebalancing features for skewed distributions. InInternational Con- ference on Learning Representations,

work page 2025
[22]

Taet: Two-stage adversarial equalization training on long-tailed distributions

[Yu-Hanget al., 2025 ] Wang Yu-Hang, Junkang Guo, Aolei Liu, Kaihao Wang, Zaitong Wu, Zhenyu Liu, Wenfei Yin, and Jian Liu. Taet: Two-stage adversarial equalization training on long-tailed distributions. InProceedings of the Computer Vision and Pattern Recognition Conference, pages 15476–15485,

work page 2025
[23]

Revisiting adversarial training under long- tailed distributions

[Yueet al., 2024 ] Xinli Yue, Ningping Mou, Qian Wang, and Lingchen Zhao. Revisiting adversarial training under long- tailed distributions. InProceedings of the IEEE/CVF con- ference on computer vision and pattern recognition, pages 24492–24501,

work page 2024
[24]

Robust long-tailed image classification via adversarial fea- ture re-calibration

[Zhang and Feng, 2024] Jinghao Zhang and Zhenhua Feng. Robust long-tailed image classification via adversarial fea- ture re-calibration. InProceedings of the 19th Interna- tional Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, volume 2, pages 213–220,

work page 2024
[25]

Xing, Laurent El Ghaoui, and Michael I

[Zhanget al., 2019 ] Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P. Xing, Laurent El Ghaoui, and Michael I. Jor- dan. Theoretically principled trade-off between robustness and accuracy. InProceedings of the International Confer- ence on Machine Learning,

work page 2019
[26]

Adversarial examples for good: Adversarial examples guided imbalanced learning

[Zhanget al., 2022 ] Jie Zhang, Lei Zhang, Gang Li, and Chao Wu. Adversarial examples for good: Adversarial examples guided imbalanced learning. In2022 IEEE In- ternational Conference on Image Processing (ICIP), pages 136–140. IEEE,

work page 2022
[27]

Deep long-tailed learn- ing: A survey.IEEE transactions on pattern analysis and machine intelligence, 45(9):10795–10816,

[Zhanget al., 2023 ] Yifan Zhang, Bingyi Kang, Bryan Hooi, Shuicheng Yan, and Jiashi Feng. Deep long-tailed learn- ing: A survey.IEEE transactions on pattern analysis and machine intelligence, 45(9):10795–10816,

work page 2023
[28]

Manifold-driven decomposition for adversarial robustness.Frontiers in Computer Science, 5:1274695,

[Zhanget al., 2024 ] Wenjia Zhang, Yikai Zhang, Xiaoling Hu, Yi Yao, Mayank Goswami, Chao Chen, and Dimitris Metaxas. Manifold-driven decomposition for adversarial robustness.Frontiers in Computer Science, 5:1274695,

work page 2024
[29]

A system- atic review on long-tailed learning.IEEE Transactions on Neural Networks and Learning Systems,

[Zhanget al., 2025 ] Chongsheng Zhang, George Almpani- dis, Gaojuan Fan, Binquan Deng, Yanbo Zhang, Ji Liu, Aouaidjia Kamel, Paolo Soda, and Jo˜ao Gama. A system- atic review on long-tailed learning.IEEE Transactions on Neural Networks and Learning Systems,

work page 2025
[30]

Continuous contrastive learning for long-tailed semi-supervised recog- nition

[Zhouet al., 2024 ] Zihao Zhou, Siyuan Fang, Zijing Zhou, Tong Wei, Yuanyu Wan, and Minling Zhang. Continuous contrastive learning for long-tailed semi-supervised recog- nition. InAdvances in Neural Information Processing Sys- tems,

work page 2024
[31]

Bal- anced contrastive learning for long-tailed visual recogni- tion

[Zhuet al., 2022 ] Jianggang Zhu, Zheng Wang, Jingjing Chen, Yi-Ping Phoebe Chen, and Yu-Gang Jiang. Bal- anced contrastive learning for long-tailed visual recogni- tion. InProceedings of the IEEE/CVF conference on com- puter vision and pattern recognition, pages 6908–6917,

work page 2022
[32]

Compared to Base AT, MCAT yields tighter and better-separated tail clusters while maintaining compact head representations

3 2 1 0 1 2 3 4 Embedding dim-1 (2D projection) MCAT Figure 8: Case study on CIFAR-100-LT (IR=100) show- ing 2D embedding projections of one head and two tail classes. Compared to Base AT, MCAT yields tighter and better-separated tail clusters while maintaining compact head representations. 0 20 40 60 80 100 Classes (sorted by decreasing training frequenc...

work page 2021

[1] [1]

Cuda: Curriculum of data augmentation for long-tailed recognition

[Ahnet al., 2023 ] Sumyeong Ahn, Jongwoo Ko, and Se- Young Yun. Cuda: Curriculum of data augmentation for long-tailed recognition. InThe Eleventh International Conference on Learning Representations,

work page 2023

[2] [2]

Prevalence of simplex compression in adversarially robust neural networks

[Caoet al., 2025 ] Yang Cao, Yanbo Chen, and Weiwei Liu. Prevalence of simplex compression in adversarially robust neural networks. InProceedings of the National Academy of Sciences,

work page 2025

[3] [3]

Long-tailed adversarial training with self- distillation

[Choet al., 2025 ] Seungju Cho, Hongsin Lee, and Chang- ick Kim. Long-tailed adversarial training with self- distillation. InThe Thirteenth International Conference on Learning Representations,

work page 2025

[4] [4]

Global and local mix- ture consistency cumulative learning for long-tailed visual recognitions

[Duet al., 2023 ] Fei Du, Peng Yang, Qi Jia, Fengtao Nan, Xiaoting Chen, and Yun Yang. Global and local mix- ture consistency cumulative learning for long-tailed visual recognitions. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 15814– 15823,

work page 2023

[5] [5]

Fedtail: Federated long-tailed domain generalization with sharpness-guided gradient matching.arXiv preprint arXiv:2506.08518,

[Guptaet al., 2025 ] Sunny Gupta, Nikita Jangid, Shounak Das, and Amit Sethi. Fedtail: Federated long-tailed domain generalization with sharpness-guided gradient matching.arXiv preprint arXiv:2506.08518,

work page arXiv 2025

[6] [6]

Las-at: adversarial training with learnable attack strategy

[Jiaet al., 2022 ] Xiaojun Jia, Yong Zhang, Baoyuan Wu, Ke Ma, Jue Wang, and Xiaochun Cao. Las-at: adversarial training with learnable attack strategy. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 13398–13408,

work page 2022

[7] [7]

arXiv preprint arXiv:2206.04041 , year=

[Kothapalli, 2022] Vignesh Kothapalli. Neural collapse: A review on modelling principles and generalization.arXiv preprint arXiv:2206.04041,

work page arXiv 2022

[8] [8]

Comparative study of adversarial training methods for long-tailed classification

[Liet al., 2021 ] Xiangxian Li, Haokai Ma, Lei Meng, and Xiangxu Meng. Comparative study of adversarial training methods for long-tailed classification. InProceedings of the 1st International Workshop on Adversarial Learning for Multimedia, pages 1–7,

work page 2021

[9] [9]

Alleviating the effect of data imbalance on ad- versarial training

[Liet al., 2023 ] Guanlin Li, Guowen Xu, and Tianwei Zhang. Alleviating the effect of data imbalance on ad- versarial training. InAdvances in Neural Information Pro- cessing Systems,

work page 2023

[10] [10]

Enhancing the adversarial robustness via manifold projec- tion

[Liet al., 2025 ] Zhiting Li, Shibai Yin, Tai-Xiang Jiang, Yexun Hu, Jia-Mian Wu, Guowei Yang, and Guisong Liu. Enhancing the adversarial robustness via manifold projec- tion. InProceedings of the AAAI Conference on Artificial Intelligence, pages 451–459,

work page 2025

[11] [11]

Breadcrumbs: Adversarial class-balanced sampling for long-tailed recognition

[Liuet al., 2022 ] Bo Liu, Haoxiang Li, Hao Kang, Gang Hua, and Nuno Vasconcelos. Breadcrumbs: Adversarial class-balanced sampling for long-tailed recognition. In European conference on computer vision, pages 637–653,

work page 2022

[12] [12]

[Papyanet al., 2020 ] Vardan Papyan, X. Y . Han, and David L. Donoho. Prevalence of neural collapse during the terminal phase of deep learning training.Proceedings of the National Academy of Sciences,

work page 2020

[13] [13]

Balanced meta-softmax for long- tailed visual recognition.Advances in neural information processing systems, 33:4175–4186,

[Renet al., 2020 ] Jiawei Ren, Cunjun Yu, Xiao Ma, Haiyu Zhao, Shuai Yi, et al. Balanced meta-softmax for long- tailed visual recognition.Advances in neural information processing systems, 33:4175–4186,

work page 2020

[14] [14]

Geometrically regularized transfer learning with on-manifold and off-manifold perturbation.arXiv preprint arXiv:2505.15191,

[Satouet al., 2025 ] Hana Satou, Alan Mitkiy, Emma Collins, and Finn Kingston. Geometrically regularized transfer learning with on-manifold and off-manifold perturbation.arXiv preprint arXiv:2505.15191,

work page arXiv 2025

[15] [15]

Diffult: Diffusion for long-tailed recognition without external knowledge

[Shaoet al., 2024 ] Jie Shao, Ke Zhu, Hanxiao Zhang, and Jianxin Wu. Diffult: Diffusion for long-tailed recognition without external knowledge. InAdvances in Neural Infor- mation Processing Systems,

work page 2024

[16] [16]

Rethinking classifier re-training in long-tailed recognition: Label over-smooth can balance

[Sunet al., 2025 ] Siyu Sun, Han Lu, Jiangtong Li, Yichen Xie, Tianjiao Li, Xiaokang Yang, Liqing Zhang, and Junchi Yan. Rethinking classifier re-training in long-tailed recognition: Label over-smooth can balance. InInterna- tional Conference on Learning Representations,

work page 2025

[17] [17]

Improv- ing adversarial robustness requires revisiting misclassified examples

[Wanget al., 2020 ] Yisen Wang, Difan Zou, Jinfeng Yi, James Bailey, Xingjun Ma, and Quanquan Gu. Improv- ing adversarial robustness requires revisiting misclassified examples. InInternational conference on learning repre- sentations,

work page 2020

[18] [18]

Adversarial weight perturbation helps robust gener- alization.Advances in neural information processing sys- tems, 33:2958–2969,

[Wuet al., 2020 ] Dongxian Wu, Shu-Tao Xia, and Yisen Wang. Adversarial weight perturbation helps robust gener- alization.Advances in neural information processing sys- tems, 33:2958–2969,

work page 2020

[19] [19]

Adversarial robustness under long-tailed distribution

[Wuet al., 2021 ] Tong Wu, Ziwei Liu, Qingqiu Huang, Yu Wang, and Dahua Lin. Adversarial robustness under long-tailed distribution. InProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 8659–8668,

work page 2021

[20] [20]

Towards calibrated model for long-tailed visual recognition from prior perspective.Advances in Neural Information Processing Systems, 34:7139–7152,

[Xuet al., 2021 ] Zhengzhuo Xu, Zenghao Chai, and Chun Yuan. Towards calibrated model for long-tailed visual recognition from prior perspective.Advances in Neural Information Processing Systems, 34:7139–7152,

work page 2021

[21] [21]

Geom- etry of long-tailed representation learning: Rebalancing features for skewed distributions

[Yiet al., 2025 ] Lingjie Yi, Michael Yao, Weimin Lyu, Haibin Ling, Raphael Douady, and Chao Chen. Geom- etry of long-tailed representation learning: Rebalancing features for skewed distributions. InInternational Con- ference on Learning Representations,

work page 2025

[22] [22]

Taet: Two-stage adversarial equalization training on long-tailed distributions

[Yu-Hanget al., 2025 ] Wang Yu-Hang, Junkang Guo, Aolei Liu, Kaihao Wang, Zaitong Wu, Zhenyu Liu, Wenfei Yin, and Jian Liu. Taet: Two-stage adversarial equalization training on long-tailed distributions. InProceedings of the Computer Vision and Pattern Recognition Conference, pages 15476–15485,

work page 2025

[23] [23]

Revisiting adversarial training under long- tailed distributions

[Yueet al., 2024 ] Xinli Yue, Ningping Mou, Qian Wang, and Lingchen Zhao. Revisiting adversarial training under long- tailed distributions. InProceedings of the IEEE/CVF con- ference on computer vision and pattern recognition, pages 24492–24501,

work page 2024

[24] [24]

Robust long-tailed image classification via adversarial fea- ture re-calibration

[Zhang and Feng, 2024] Jinghao Zhang and Zhenhua Feng. Robust long-tailed image classification via adversarial fea- ture re-calibration. InProceedings of the 19th Interna- tional Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, volume 2, pages 213–220,

work page 2024

[25] [25]

Xing, Laurent El Ghaoui, and Michael I

[Zhanget al., 2019 ] Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P. Xing, Laurent El Ghaoui, and Michael I. Jor- dan. Theoretically principled trade-off between robustness and accuracy. InProceedings of the International Confer- ence on Machine Learning,

work page 2019

[26] [26]

Adversarial examples for good: Adversarial examples guided imbalanced learning

[Zhanget al., 2022 ] Jie Zhang, Lei Zhang, Gang Li, and Chao Wu. Adversarial examples for good: Adversarial examples guided imbalanced learning. In2022 IEEE In- ternational Conference on Image Processing (ICIP), pages 136–140. IEEE,

work page 2022

[27] [27]

Deep long-tailed learn- ing: A survey.IEEE transactions on pattern analysis and machine intelligence, 45(9):10795–10816,

[Zhanget al., 2023 ] Yifan Zhang, Bingyi Kang, Bryan Hooi, Shuicheng Yan, and Jiashi Feng. Deep long-tailed learn- ing: A survey.IEEE transactions on pattern analysis and machine intelligence, 45(9):10795–10816,

work page 2023

[28] [28]

Manifold-driven decomposition for adversarial robustness.Frontiers in Computer Science, 5:1274695,

[Zhanget al., 2024 ] Wenjia Zhang, Yikai Zhang, Xiaoling Hu, Yi Yao, Mayank Goswami, Chao Chen, and Dimitris Metaxas. Manifold-driven decomposition for adversarial robustness.Frontiers in Computer Science, 5:1274695,

work page 2024

[29] [29]

A system- atic review on long-tailed learning.IEEE Transactions on Neural Networks and Learning Systems,

[Zhanget al., 2025 ] Chongsheng Zhang, George Almpani- dis, Gaojuan Fan, Binquan Deng, Yanbo Zhang, Ji Liu, Aouaidjia Kamel, Paolo Soda, and Jo˜ao Gama. A system- atic review on long-tailed learning.IEEE Transactions on Neural Networks and Learning Systems,

work page 2025

[30] [30]

Continuous contrastive learning for long-tailed semi-supervised recog- nition

[Zhouet al., 2024 ] Zihao Zhou, Siyuan Fang, Zijing Zhou, Tong Wei, Yuanyu Wan, and Minling Zhang. Continuous contrastive learning for long-tailed semi-supervised recog- nition. InAdvances in Neural Information Processing Sys- tems,

work page 2024

[31] [31]

Bal- anced contrastive learning for long-tailed visual recogni- tion

[Zhuet al., 2022 ] Jianggang Zhu, Zheng Wang, Jingjing Chen, Yi-Ping Phoebe Chen, and Yu-Gang Jiang. Bal- anced contrastive learning for long-tailed visual recogni- tion. InProceedings of the IEEE/CVF conference on com- puter vision and pattern recognition, pages 6908–6917,

work page 2022

[32] [32]

Compared to Base AT, MCAT yields tighter and better-separated tail clusters while maintaining compact head representations

3 2 1 0 1 2 3 4 Embedding dim-1 (2D projection) MCAT Figure 8: Case study on CIFAR-100-LT (IR=100) show- ing 2D embedding projections of one head and two tail classes. Compared to Base AT, MCAT yields tighter and better-separated tail clusters while maintaining compact head representations. 0 20 40 60 80 100 Classes (sorted by decreasing training frequenc...

work page 2021