aae3ff05a5638ce4e2ef2fbc04229797-Supplemental-Conference.pdf

The total loss of the model is a combination of both regularization terms and a reconstructionloss. Herexr refers to reference image,xa to adversarial image and xr, xa to their corresponding reconstructions. The maximum input noise perturbation levelλ is limited to1,3 and 5. However, it should be also noted that with PGD-based training, the computational time is two times more expensive than our original method. These attacks are more successful when the adversarial reconstructions are less similar in appearance to the clean reconstructions.