“…The popularity of SRSs has brought new security concerns. Recent studies have shown that both open-source and commercial SRSs are vulnerable to adversarial attacks [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. To thwart adversarial attacks, five input transformations [15], [16], [18], [19] and two adversarial training [9], derived from other domains, have been studied.…”