Appendix

In this section, we first provide model parameters used for training the attack GANs. We then provide sample images from each cluster/class for each of the models, along with the generated noise using ourGAN models. In this section, we provide additional details for the defense approaches considered in this paper. B.1 RobustDeepClustering We provide hyperparameter values (Table 6) for training the GAN network for RUC, along with confusion matrices (Figures 37 - 39) and adversarial samples (Figures 40 - 42) obtained via our attack. Then, in Table 8 we provide the actual values used for generating the injection/detection bar plot figureinthemaintext.