arxiv: 2605.13395 · v1 · submitted 2026-05-13 · 💻 cs.LG · cs.CV

Recognition: unknown

Taming the Long Tail: Rebalancing Adversarial Training via Adaptive Perturbation

Lilin Zhang , Yimo Guo , Yue Li , Jiancheng Shi , Xianggen Liu

Authors on Pith no claims yet

Pith reviewed 2026-05-14 20:15 UTC · model grok-4.3

classification 💻 cs.LG cs.CV

keywords adversarial traininglong-tailed distributionclass imbalancerobustnessadaptive perturbationsdistribution rebalancing

0 comments

The pith

Adaptive perturbations can rebalance class distributions during adversarial training

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that perturbations added during adversarial training change the effective training distribution in ways that can reduce class imbalance in long-tailed data at the same time as they build robustness. Standard adversarial training on such data suffers from a skewed objective that favors head classes and from unstable shifts in the adversarial examples themselves. The authors derive that controlled perturbations can counter both problems and introduce RobustLT as a plug-and-play method that adapts the perturbation rule on the fly. Experiments confirm gains in robust accuracy and class-balance metrics on long-tailed benchmarks.

Core claim

Perturbations in adversarial examples inherently alter the training distribution. This alteration can simultaneously address adversarial vulnerability and class imbalance. The proposed RobustLT framework adaptively adjusts perturbations during adversarial training. Extensive experiments demonstrate that RobustLT consistently enhances adversarial robustness and class-balance on long-tailed datasets.

What carries the argument

RobustLT, a plug-and-play framework that adaptively adjusts perturbations during adversarial training to rebalance the effective training distribution

If this is right

Adversarial training on long-tailed data improves without separate resampling or reweighting steps.
Both head-class and tail-class performance rise together rather than trading off.
The method attaches directly to existing adversarial training pipelines as a plug-in.
The effective training distribution becomes less skewed while adversarial robustness increases.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar adaptive perturbation rules could substitute for resampling in other imbalanced supervised settings.
The same mechanism may help with distribution shifts beyond class imbalance, such as domain adaptation.
Testing the rule on real-world long-tailed data with extreme imbalance ratios would check scalability.

Load-bearing premise

Perturbations can be adjusted adaptively to alter the training distribution favorably without introducing new instabilities or needing heavy per-dataset tuning.

What would settle it

A controlled experiment on a long-tailed dataset in which RobustLT produces no gain or a drop in robust accuracy or balanced accuracy compared with standard adversarial training.

Figures

Figures reproduced from arXiv: 2605.13395 by Jiancheng Shi, Lilin Zhang, Xianggen Liu, Yimo Guo, Yue Li.

**Figure 2.** Figure 2: Robust accuracy, natural accuracy, and the tradeoff between them under varying settings of [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗

**Figure 3.** Figure 3: Adaptive perturbation intensity in final epoch of different enhancement methods, averaged over multiple base algorithms. [PITH_FULL_IMAGE:figures/full_fig_p018_3.png] view at source ↗

**Figure 4.** Figure 4: T-SNE visualizations of the latent space logits of adversarial examples (AEs) generated with and without CPB extracted from [PITH_FULL_IMAGE:figures/full_fig_p018_4.png] view at source ↗

**Figure 5.** Figure 5: T-SNE visualizations of the latent space logits of adversarial examples (AEs) generated with and without AIW across multiple [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗

**Figure 6.** Figure 6: Robust accuracy, natural accuracy, and the tradeoff between them under varying settings of [PITH_FULL_IMAGE:figures/full_fig_p021_6.png] view at source ↗

read the original abstract

Deep neural networks are highly vulnerable to adversarial examples, i.e.,small perturbations that can significantly degrade model performance. While adversarial training has become the primary defense strategy, most studies focus on balanced datasets, overlooking the challenges posed by real-world long-tail data. Motivated by the fact that perturbations in adversarial examples inherently alter the training distribution, we theoretically investigate their impact. We first revisit adversarial training for long-tail data and identify two key limitations: (i) a skewed training objective caused by class imbalance, and (ii) unstable evolution of adversarial distributions. Furthermore, we show that perturbations can simultaneously address both adversarial vulnerability and class imbalance. Based on these insights, we propose RobustLT, a plug-and-play framework that adaptively adjusts perturbations during adversarial training. Extensive experiments demonstrate that RobustLT consistently enhances adversarial robustness and class-balance on long-tailed datasets. The code is available at \href{https://github.com/zhang-lilin/RobustLT}{https://github.com/zhang-lilin/RobustLT}.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

read the letter

RobustLT adds an adaptive perturbation rule to adversarial training for long-tailed data and reports empirical gains, but the theoretical link between perturbations and simultaneous rebalancing lacks a clear derivation. The paper starts from a practical observation: standard adversarial training on imbalanced data produces a skewed objective that favors majority classes and lets adversarial distributions evolve unstably. It then claims that perturbations themselves can mitigate both problems at once, leading to the RobustLT framework that adjusts perturbation strength or direction on the fly. The method is presented as plug-and-play, which keeps the barrier low for users who already run adversarial training pipelines. Experiments on long-tailed datasets show consistent lifts in adversarial robustness alongside better class balance, and the code release supports checking the details. That combination of a targeted fix and reproducible results is the part worth noting. The main soft spot is the theoretical step. The abstract states that perturbations inherently alter the training distribution to fix skew and instability together, yet the mechanism for adaptation is not derived in enough detail to rule out new instabilities, such as over-perturbing tail classes or reintroducing gradient issues on extreme imbalance ratios. Without seeing the explicit steps or assumptions about loss ratios and gradient behavior, it is hard to judge whether the central claim holds or whether the adaptation rule simply trades one form of instability for another. This is not a fatal gap, but it is the section that would benefit most from tightening. The work is aimed at researchers who apply adversarial training to real-world imbalanced data, such as in security or medical imaging. A reader looking for an incremental, testable addition to existing defenses would get value from the method and the reported numbers. It deserves peer review because the problem is common, the approach is straightforward to implement, and the experiments give referees something concrete to examine even if the theory needs more support.

Referee Report

2 major / 2 minor

Summary. The paper claims that perturbations in adversarial examples can simultaneously mitigate adversarial vulnerability and class imbalance on long-tailed data. It identifies two limitations in standard adversarial training—skewed training objectives from class imbalance and unstable evolution of adversarial distributions—then proposes RobustLT, a plug-and-play adaptive perturbation framework that rebalances the training distribution during adversarial training. Extensive experiments are said to show consistent gains in both robustness and class balance on long-tailed datasets.

Significance. If the theoretical analysis is sound and the adaptive rule is shown to be stable without hidden assumptions, the work would meaningfully connect adversarial training with long-tail learning, offering a practical method for real-world imbalanced data where both robustness and fairness matter. The plug-and-play design and public code release strengthen potential impact.

major comments (2)

[Theoretical analysis] Theoretical analysis (likely §3): the claim that perturbations inherently rebalance class skew while stabilizing adversarial distributions lacks an explicit derivation showing that the adaptive rule introduces no new instabilities (e.g., via bounded loss ratios or gradient behavior assumptions) for extreme imbalance ratios; this is load-bearing for the central claim that the method simultaneously fixes both issues without dataset-specific tuning.
[§4] §4 (method): the precise mechanism by which perturbation magnitude or direction is adjusted per class or sample (loss-driven or frequency-driven) is not derived in sufficient detail to rule out reintroduction of instability in the adversarial distribution evolution.

minor comments (2)

[Abstract] Abstract: the statement 'perturbations can simultaneously address both' should be qualified with the conditions under which the adaptive rule is guaranteed to remain stable.
[Experiments] Experiments section: clarify the exact long-tailed datasets, imbalance ratios, and whether statistical significance tests (e.g., over multiple runs) support the 'consistent' improvements.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We sincerely thank the referee for the detailed and constructive comments on our manuscript. We have carefully considered the major concerns raised and provide point-by-point responses below. We will incorporate revisions to address the theoretical and methodological clarifications requested.

read point-by-point responses

Referee: [Theoretical analysis] Theoretical analysis (likely §3): the claim that perturbations inherently rebalance class skew while stabilizing adversarial distributions lacks an explicit derivation showing that the adaptive rule introduces no new instabilities (e.g., via bounded loss ratios or gradient behavior assumptions) for extreme imbalance ratios; this is load-bearing for the central claim that the method simultaneously fixes both issues without dataset-specific tuning.

Authors: We thank the referee for highlighting this important aspect. In Section 3 of the manuscript, we present a theoretical analysis demonstrating that perturbations can rebalance the class distribution and stabilize adversarial examples. However, to strengthen the claim regarding stability under extreme imbalance ratios, we will add an explicit derivation in the revised version. This will include bounds on the loss ratios and analysis of gradient behavior to show that the adaptive perturbation rule does not introduce new instabilities, without requiring dataset-specific tuning. The revised analysis will be placed in a new subsection following the existing theoretical results. revision: yes
Referee: [§4] §4 (method): the precise mechanism by which perturbation magnitude or direction is adjusted per class or sample (loss-driven or frequency-driven) is not derived in sufficient detail to rule out reintroduction of instability in the adversarial distribution evolution.

Authors: We appreciate this comment on the clarity of the method section. In Section 4, RobustLT adjusts the perturbation magnitude adaptively using a loss-driven term combined with class frequency information, as formalized in Equations (3) and (4). The direction remains aligned with the standard adversarial attack but scaled per sample. To address the concern, we will expand the description in the revised manuscript with additional mathematical derivation and pseudocode to explicitly show how this mechanism prevents reintroduction of instability in the adversarial distribution evolution. This will clarify that the adjustment is both loss-driven and frequency-driven in a balanced manner. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation remains self-contained

full rationale

The abstract and provided text describe a theoretical revisit of adversarial training on long-tail data that identifies two limitations (skewed objective and unstable adversarial evolution), then states that perturbations can address both, leading to the RobustLT adaptive framework. No equations, fitted parameters, or self-citations are quoted that reduce the central claim to a definition or input by construction. The proposal is presented as derived from the identified limitations without renaming known results or importing uniqueness via author citations. The derivation chain is therefore independent of the target result and does not trigger any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review performed on abstract only; no explicit free parameters, axioms, or invented entities are stated in the provided text.

pith-pipeline@v0.9.0 · 5483 in / 1065 out tokens · 39551 ms · 2026-05-14T20:15:49.398078+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

53 extracted references · 53 canonical work pages · 2 internal anchors

[1]

Recent advances in adversarial training for adversarial ro- bustness

Tao Bai, Jinqi Luo, Jun Zhao, Bihan Wen, and Qian Wang. Recent advances in adversarial training for adversarial ro- bustness. InProceedings of the Thirtieth International Joint Conference on Artificial Intelligence, 2021. 1

work page 2021
[2]

Evasion attacks against machine learning at test time

Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nel- son, Nedim ˇSrndi´c, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. Evasion attacks against machine learning at test time. In Joint European Conference on Machine Learning and Knowl- edge Discovery in Databases, pages 387–402, 2013. 1

work page 2013
[3]

A systematic study of the class imbalance problem in convolu- tional neural networks.Neural Networks, 106:249–259, 2018

Mateusz Buda, Atsuto Maki, and Maciej A Mazurowski. A systematic study of the class imbalance problem in convolu- tional neural networks.Neural Networks, 106:249–259, 2018. 1

work page 2018
[4]

A unified wasserstein distributional robustness framework for adversarial training

Anh Tuan Bui, Trung Le, Quan Hung Tran, He Zhao, and Dinh Phung. A unified wasserstein distributional robustness framework for adversarial training. InInternational Confer- ence on Learning Representations, 2022. 6

work page 2022
[5]

Learning imbalanced datasets with label- distribution-aware margin loss.Advances in Neural Informa- tion Processing Systems, 32, 2019

Kaidi Cao, Colin Wei, Adrien Gaidon, Nikos Arechiga, and Tengyu Ma. Learning imbalanced datasets with label- distribution-aware margin loss.Advances in Neural Informa- tion Processing Systems, 32, 2019. 1, 2, 6, 7

work page 2019
[6]

Towards evaluating the robustness of neural networks

Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In2017 IEEE Symposium on Security and Privacy (SP), pages 39–57, 2017. 7

work page 2017
[7]

Long-tailed adversarial training with self-distillation

Seungju Cho, Hongsin Lee, and Changick Kim. Long-tailed adversarial training with self-distillation. InThe Thirteenth International Conference on Learning Representations, 2025. 1, 2

work page 2025
[8]

A Downsampled Variant of ImageNet as an Alternative to the CIFAR datasets

Patryk Chrabaszcz, Ilya Loshchilov, and Frank Hutter. A downsampled variant of imagenet as an alternative to the cifar datasets.arXiv preprint arXiv:1707.08819, 2017. 10

work page internal anchor Pith review Pith/arXiv arXiv 2017
[9]

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter- free attacks

Francesco Croce and Matthias Hein. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter- free attacks. InInternational Conference on Machine Learn- ing, pages 2206–2216. PMLR, 2020. 6, 7

work page 2020
[10]

Robustbench: a standard- ized adversarial robustness benchmark

Francesco Croce, Maksym Andriushchenko, Vikash Sehwag, Edoardo Debenedetti, Nicolas Flammarion, Mung Chiang, Prateek Mittal, and Matthias Hein. Robustbench: a standard- ized adversarial robustness benchmark. InThirty-fifth Con- ference on Neural Information Processing Systems Datasets and Benchmarks Track (Round 2), 2021. 6

work page 2021
[11]

Explaining and harnessing adversarial examples

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. InThe Twen- tieth International Conference on Learning Representations,

work page
[12]

LVIS: A dataset for large vocabulary instance segmentation

Agrim Gupta, Piotr Dollar, and Ross Girshick. LVIS: A dataset for large vocabulary instance segmentation. InPro- ceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 5356–5364, 2019. 1

work page 2019
[13]

Learning from imbalanced data.IEEE Transactions on Knowledge and Data Engineer- ing, 21(9):1263–1284, 2009

Haibo He and Edwardo A Garcia. Learning from imbalanced data.IEEE Transactions on Knowledge and Data Engineer- ing, 21(9):1263–1284, 2009. 1

work page 2009
[14]

Adversarial examples are not bugs, they are features.Advances in Neural Information Processing Systems, 32, 2019

Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. Adversarial examples are not bugs, they are features.Advances in Neural Information Processing Systems, 32, 2019. 1, 4

work page 2019
[15]

The class imbalance problem: A systematic study.Intelligent Data Analysis, 6(5): 429–449, 2002

Nathalie Japkowicz and Shaju Stephen. The class imbalance problem: A systematic study.Intelligent Data Analysis, 6(5): 429–449, 2002. 1

work page 2002
[16]

Learning multiple layers of features from tiny images

Alex Krizhevsky, Geoffrey Hinton, et al. Learning multiple layers of features from tiny images. 2009. 1, 6

work page 2009
[17]

Tiny imagenet visual recognition challenge.CS 231N, 7(7):3, 2015

Ya Le and Xuan Yang. Tiny imagenet visual recognition challenge.CS 231N, 7(7):3, 2015. 6

work page 2015
[18]

DAFA: Distance-aware fair adversarial training

Hyungyu Lee, Saehyung Lee, Hyemi Jang, Junsung Park, Ho Bae, and Sungroh Yoon. DAFA: Distance-aware fair adversarial training. InThe Twelfth International Conference on Learning Representations, 2024. 2, 6

work page 2024
[19]

WAT: Improve the worst-class robustness in adversarial training

Boqi Li and Weiwei Liu. WAT: Improve the worst-class robustness in adversarial training. InProceedings of the AAAI Conference on Artificial Intelligence, pages 14982–14990,

work page
[20]

Alleviating the effect of data imbalance on adversarial training, 2024

Guanlin Li, Guowen Xu, and Tianwei Zhang. Alleviating the effect of data imbalance on adversarial training, 2024. 6

work page 2024
[21]

Focal loss for dense object detection

Tsung-Yi Lin, Priya Goyal, Ross Girshick, Kaiming He, and Piotr Doll´ar. Focal loss for dense object detection. InPro- ceedings of the IEEE International Conference on Computer Vision, pages 2980–2988, 2017. 1, 2

work page 2017
[22]

Bridging the gap between learning and inference for diffusion-based molecule generation

Peidong Liu, Wenbo Zhang, Wei Ju, Jiancheng Lv, and Xi- anggen Liu. Bridging the gap between learning and inference for diffusion-based molecule generation. InThe 17th Asian Conference on Machine Learning (Conference Track), 2025. 10

work page 2025
[23]

On the trade- off between robustness and fairness.Advances in Neural Information Processing Systems, 35:26230–26241, 2022

Xinsong Ma, Zekai Wang, and Weiwei Liu. On the trade- off between robustness and fairness.Advances in Neural Information Processing Systems, 35:26230–26241, 2022. 2

work page 2022
[24]

Towards deep learn- ing models resistant to adversarial attacks

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learn- ing models resistant to adversarial attacks. InInternational Conference on Learning Representations, 2018. 2, 6

work page 2018
[25]

Adversarial learning targeting deep neural network classification: A com- prehensive review of defenses against attacks.Proceedings of the IEEE, 108(3):402–433, 2020

David J Miller, Zhen Xiang, and George Kesidis. Adversarial learning targeting deep neural network classification: A com- prehensive review of defenses against attacks.Proceedings of the IEEE, 108(3):402–433, 2020. 1

work page 2020
[26]

When adversarial training meets vision trans- formers: Recipes from training to architecture

Yichuan Mo, Dongxian Wu, Yifei Wang, Yiwen Guo, and Yisen Wang. When adversarial training meets vision trans- formers: Recipes from training to architecture. InAdvances in Neural Information Processing Systems, pages 18599–18611. Curran Associates, Inc., 2022. 10

work page 2022
[27]

A method for solving the convex program- ming problem with convergence rate o(1/k2)

Yu E Nesterov. A method for solving the convex program- ming problem with convergence rate o(1/k2). InDoklady Akademii Nauk SSSR, pages 543–547, 1983. 7

work page 1983
[28]

Bag of tricks for adversarial training

Tianyu Pang, Xiao Yang, Yinpeng Dong, Hang Su, and Jun Zhu. Bag of tricks for adversarial training. InInternational Conference on Learning Representations, 2021. 7, 11

work page 2021
[29]

Balanced meta-softmax for long-tailed visual recognition

Jiawei Ren, Cunjun Yu, Xiao Ma, Haiyu Zhao, Shuai Yi, et al. Balanced meta-softmax for long-tailed visual recognition. Advances in Neural Information Processing Systems, 33:4175– 4186, 2020. 1, 2

work page 2020
[30]

A closer look at curriculum adversarial training: From an online perspective

Lianghe Shi and Weiwei Liu. A closer look at curriculum adversarial training: From an online perspective. InProceed- ings of the AAAI Conference on Artificial Intelligence, pages 14973–14981, 2024. 2 9

work page 2024
[31]

Distributionally robust deep learning as a generalization of adversarial training

Matthew Staib and Stefanie Jegelka. Distributionally robust deep learning as a generalization of adversarial training. In NIPS Workshop on Machine Learning and Computer Security, page 4, 2017. 6

work page 2017
[32]

Disentangling adversarial robustness and generalization

David Stutz, Matthias Hein, and Bernt Schiele. Disentangling adversarial robustness and generalization. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 6976–6987, 2019. 11

work page 2019
[33]

Improving robust fairness via balance adversarial training

Chunyu Sun, Chenye Xu, Chengyuan Yao, Siyuan Liang, Yichao Wu, Ding Liang, Xianglong Liu, and Aishan Liu. Improving robust fairness via balance adversarial training. In Proceedings of the AAAI Conference on Artificial Intelligence, pages 15161–15169, 2023. 2

work page 2023
[34]

Intriguing properties of neural networks

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. InInternational Conference on Learning Representations, 2014. 1

work page 2014
[35]

Training data-efficient image transformers & distillation through atten- tion

Hugo Touvron, Matthieu Cord, Matthijs Douze, Francisco Massa, Alexandre Sablayrolles, and Herve Jegou. Training data-efficient image transformers & distillation through atten- tion. InProceedings of the 38th International Conference on Machine Learning, pages 10347–10357. PMLR, 2021. 7

work page 2021
[36]

Robustness may be at odds with accuracy

Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexan- der Turner, and Aleksander Madry. Robustness may be at odds with accuracy. InInternational Conference on Learning Representations, 2019. 4

work page 2019
[37]

The inaturalist species classification and detection dataset

Grant Van Horn, Oisin Mac Aodha, Yang Song, Yin Cui, Chen Sun, Alex Shepard, Hartwig Adam, Pietro Perona, and Serge Belongie. The inaturalist species classification and detection dataset. InProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 8769–8778,

work page
[38]

Springer, 2008

C´edric Villani et al.Optimal Transport: Old and New. Springer, 2008. 3, 6

work page 2008
[39]

Create! don’t repeat: A paradigm shift in multi-label augmentation through label creative generation

Letian Wang, Xianggen Liu, and Jiancheng Lv. Create! don’t repeat: A paradigm shift in multi-label augmentation through label creative generation. InProceedings of the 2024 Confer- ence of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers), pages 855–869. Association for Computa...

work page 2024
[40]

Learn- ing to model the tail.Advances in Neural Information Pro- cessing Systems, 30, 2017

Yu-Xiong Wang, Deva Ramanan, and Martial Hebert. Learn- ing to model the tail.Advances in Neural Information Pro- cessing Systems, 30, 2017. 1

work page 2017
[41]

Better diffusion models further improve adversarial training

Zekai Wang, Tianyu Pang, Chao Du, Min Lin, Weiwei Liu, and Shuicheng Yan. Better diffusion models further improve adversarial training. InInternational Conference on Machine Learning, pages 36246–36263. PMLR, 2023. 2

work page 2023
[42]

CFA: Class-wise calibrated fair adversarial training

Zeming Wei, Yifei Wang, Yiwen Guo, and Yisen Wang. CFA: Class-wise calibrated fair adversarial training. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 8193–8201, 2023. 2, 6

work page 2023
[43]

Adversarial weight perturbation helps robust generalization.Advances in Neural Information Processing Systems, 33:2958–2969, 2020

Dongxian Wu, Shu-Tao Xia, and Yisen Wang. Adversarial weight perturbation helps robust generalization.Advances in Neural Information Processing Systems, 33:2958–2969, 2020. 6

work page 2020
[44]

Adversarial robustness under long-tailed distribution

Tong Wu, Ziwei Liu, Qingqiu Huang, Yu Wang, and Dahua Lin. Adversarial robustness under long-tailed distribution. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 8659–8668, 2021. 1, 2, 6

work page 2021
[45]

To be robust or to be fair: Towards fairness in adversarial training

Han Xu, Xiaorui Liu, Yaxin Li, Anil Jain, and Jiliang Tang. To be robust or to be fair: Towards fairness in adversarial training. InInternational Conference on Machine Learning, pages 11492–11501. PMLR, 2021. 2, 4

work page 2021
[46]

Taet: Two-stage adversarial equalization training on long-tailed dis- tributions

Wang Yu-Hang, Junkang Guo, Aolei Liu, Kaihao Wang, Zaitong Wu, Zhenyu Liu, Wenfei Yin, and Jian Liu. Taet: Two-stage adversarial equalization training on long-tailed dis- tributions. InProceedings of the Computer Vision and Pattern Recognition Conference, pages 15476–15485, 2025. 1, 2, 6

work page 2025
[47]

Revisiting adversarial training under long-tailed distributions

Xinli Yue, Ningping Mou, Qian Wang, and Lingchen Zhao. Revisiting adversarial training under long-tailed distributions. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 24492–24501, 2024. 1, 2, 6, 9

work page 2024
[48]

Wide Residual Networks

Sergey Zagoruyko and Nikos Komodakis. Wide residual networks.arXiv preprint arXiv:1605.07146, 2016. 6

work page internal anchor Pith review Pith/arXiv arXiv 2016
[49]

Theoretically principled trade-off between robustness and accuracy

Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Lau- rent El Ghaoui, and Michael Jordan. Theoretically principled trade-off between robustness and accuracy. InInternational Conference on Machine Learning, pages 7472–7482. PMLR,

work page
[50]

Prov- able unrestricted adversarial training without compromise with generalizability.IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024

Lilin Zhang, Ning Yang, Yanchao Sun, and Philip S Yu. Prov- able unrestricted adversarial training without compromise with generalizability.IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024. 11

work page 2024
[51]

Weakly su- pervised contrastive adversarial training for learning robust features from semi-supervised data

Lilin Zhang, Chengpei Wu, and Ning Yang. Weakly su- pervised contrastive adversarial training for learning robust features from semi-supervised data. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 25718–25727, 2025. 2

work page 2025
[52]

Towards fairness-aware adversarial learn- ing

Yanghao Zhang, Tianle Zhang, Ronghui Mu, Xiaowei Huang, and Wenjie Ruan. Towards fairness-aware adversarial learn- ing. InProceedings of the IEEE/CVF Conference on Com- puter Vision and Pattern Recognition, pages 24746–24755,

work page
[53]

Ad- versarial training methods for deep learning: A systematic review.Algorithms, 15(8):283, 2022

Weimin Zhao, Sanaa Alwidian, and Qusay H Mahmoud. Ad- versarial training methods for deep learning: A systematic review.Algorithms, 15(8):283, 2022. 1 10 Taming the Long Tail: Rebalancing Adversarial Training via Adaptive Perturbation Appendix A. Proofs of Sec. 3 (Preliminaries and problem analysis) A.1. Useful lemmas Lemma A.1.Considering two arbitrary d...

work page 2022