“…• l 0 attack: OnePixel [Su et al, 2019], SparseFool [Modas et al, 2019] • l 2 attack: Projected Gradient Descent-l 2 (PGDL2) [Goodfellow et al, 2014, Madry et al, 2017, DeepFool [Moosavi-Dezfooli et al, 2015], CW attack [Carlini and Wagner, 2016], AutoAttack-l 2 [Wong et al, 2020] • l ∞ attack: Fast Gradient Sign Method (FGSM) [Goodfellow et al, 2014], Projected Gradient Descent (PGD) [Goodfellow et al, 2014, Madry et al, 2017, AutoAttack-l ∞ [Wong et al, 2020] FGSM As one of the earliest and most popular adversarial attacks described by Goodfellow et al [2014], Fast Gradient Sign Method (FGSM) serves as a baseline attack in our training. As notified previously, to optimize the parameter in trained models is to maximize the loss function over δ.…”