I. Introduction
The rapid development of deep neural networks (DNNs) has led to breakthroughs in many long-standing machine learning tasks (e.g., natural language processing [1], image classification [2], speech recognition [3]). However, it is well known that DNNs are inherently vulnerable to malicious attacks, which raises concerns about their reliability, thus hindering their use in realistic security-critical domains [4]–[6].