“…Adversarial examples [78], i.e., nearly imperceptibly perturbed inputs causing misclassification, consider an adversarial environment where potential attackers can actively manipulate inputs. This has been shown to be possible in the white-box setting, with full access to the DNN, e.g., [20], [79], [80], [81], [82], as well as in the black-box setting, without access to DNN weights and gradients, e.g., [83], [84], [85], [86]. Such attacks are also transferable between models [87] and can be applied in the physical world [88], [89].…”