A More numerical results

Thus, it is reasonable for us to target at mitigating black-box SQAs in real cases. AT models are impacted much more significantly. Moreover, AAA's superiority is enhanced as the attack becomes stronger. Although attackers generally greedily update based on the margin (of logits) loss [5, 41, 61], it is possible for them to choose other loss options such as minimizing the probability margin and maximizing the cross-entropy loss. AAA, as a plug-in post-processing defense, is embeddable into any defense that increases the model's robustness.