$σ$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples

Q: How reproducible is "$σ$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples"?

Estimated time to first reproduction: a few hours. Risk flags: No maintained paper-verified implementation is currently available. This is primarily a method paper. Reproduce it within a maintained framework baseline instead of chasing paper-specific repos.

Antonio Emanuele Ciná, Francesco Villani, Maura Pintor, Lea Schönherr, Battista Biggio, Marcello Pelillo

Published: Feb 2, 2024

No direct implementation yet

Evidence: Inferred

Domain fit: Niche / domain-specific

Verified repos: 0

No strong AI-core implementation/artifact signals were detected from current providers.

Time to first repro: a few hours

1 risk flag

DOI Publisher

Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging. While most attacks consider $\ell_2$- and $\ell_\infty$-norm constraints to craft input perturbations, only a few investigate sparse $\ell_1$- and $\ell_0$-norm attacks. In particular, $\ell_0$-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable const ...

Read full abstract

raint. However, evaluating adversarial robustness under these attacks could reveal weaknesses otherwise left untested with more conventional $\ell_2$- and $\ell_\infty$-norm attacks. In this work, we propose a novel $\ell_0$-norm attack, called $σ$-zero, which leverages a differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization, and an adaptive projection operator to dynamically adjust the trade-off between loss minimization and perturbation sparsity. Extensive evaluations using MNIST, CIFAR10, and ImageNet datasets, involving robust and non-robust models, show that $σ$\texttt{-zero} finds minimum $\ell_0$-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and efficiency.

Technical details

Canonical key: doi-10.48550_arxiv.2402.01879

Cache status: Stale (SWR served)

Generated at: Jun 18, 2026, 1:59 PM

Artifact coverage: sparse

HF provider: ok (mixed)

PWC source used: No

LLM status: not_generated

LLM model: n/a

LLM generated: Unknown

LLM content type: n/a

HF policy: hf-relevance-v27

context only

Benchmarks: thin evidence

Time to repro: a few hours

1 risk flag

Results & Benchmarks

Freshness tier: cold

Direct + Inferred Evidence

Some benchmark signal exists in the extracted evidence, but it is not structured strongly enough yet for a confident benchmark decision.

Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging.

Implementation Evidence Summary

Confidence: low

This is primarily a method paper. Reproduce it within a maintained framework baseline instead of chasing paper-specific repos.

Reproduction Risks

No maintained paper-verified implementation is currently available

Evidence disclosure

Evidence graph: 2 refs, 1 links.

Utility signals: depth 80/100, grounding 58/100, status medium.

Implementation Status

No verified maintained repo

There is no verified maintained implementation yet. Use this baseline plan to decide whether to prototype now or defer.

This is primarily a method paper. Reproduce it within a maintained framework baseline instead of chasing paper-specific repos.
Start with framework-native implementations (e.g. PyTorch optimizer module, Optax, or Transformers training loops).
Replicate the paper ablation settings first, then compare against modern baselines.

Time to first repro: a few hours

Reproduction readiness

No Repo

Time to first repro: hours

Last checked: Jun 18, 2026

No verified implementation available

· No maintained repository has been identified for this paper. Check adjacent implementations or HF artifacts below.

Hugging Face artifacts

No trustworthy direct or curated related Hugging Face artifacts were found yet.

Continue with targeted Hugging Face searches derived from the paper title and method context:

Models

$σ$-zero Mathematical optimization Mathematical optimization model

Datasets

Norm (philosophy) dataset Mathematical optimization benchmark $σ$-zero dataset

Spaces

Norm (philosophy) demo Mathematical optimization gradio $σ$-zero demo

Tip: start with models, then check datasets/spaces if you need evaluation data or demos.

Direct artifact matches are currently sparse. Use targeted Hugging Face searches to quickly locate candidate models, datasets, and demos.

Search models Search datasets Search spaces

Research context

Citations

References

Tasks

Sigma, Norm (philosophy), Zero (linguistics), Adversarial system, Computer science, Physical Sciences

Methods

Mathematical optimization

Domains

Mathematics, Physics, Artificial Intelligence

Evaluation & Human Feedback Data

Open this paper in HFEPX to review benchmark signals, evaluation modes, and human-feedback protocol context.

Open in HFEPX

Explore Similar Papers

Jump to Paper2Code search queries derived from this paper's research context.

Sigma Norm (philosophy) Zero (linguistics) Adversarial system Computer science Physical Sciences