To be clearer, I assume that we only consider Supervised paradigm and Classification task (of course, if there is some literature on other paradigms and tasks, please share).

We all know that there is a plethora of adversarial attacks AND defenses on neural network. Unfortunately (or fortunately), most of the defenses have been debunked (thanks to the papers like https://arxiv.org/pdf/1802.00420.pdf), and Adversarial Training (AT) is generally the “best” defense so far (it’s NOT very effective against attacks, but it’s generally better than other fancy defenses).

However, it seems like (I can be wrong here) AT has not been compared to the defenses in a specific type, which uses the smoothness of neural network function and decision boundaries to prevent attacks from finding adversarial examples (I know there is definitely this type of defense, although I cannot recall any paper on top of my head).

So I guess my overall question is that “Are those defenses comparable to AT?”, which in turn means “Which are the best attacks against those defenses?” and “Are those attacks less effective against AT?”.

P.S: Please share some literature if possible. Thanks!