5fa29a2f163ce2020769eca8956e2d77-Supplemental-Conference.pdf

AAA, as a plug-in post-processing defense, is embeddable into any defense that increases the model's robustness. We run the main experiments in Table 2 for 5 times using different random seeds for Square attack, and report the results in Table 9. The detailed information of all our used models is shown in Table 10. AAA, RND, and DENT are directly implemented on the undefended model. All the attacks are adapted from the official repositories with original hyperparameters.