This paper investigates strategies to defend against adversarial examples in image classification systems by transforming inputs before feeding them to the classifier. The study explores various image transformations, including bit-depth reduction, JPEG compression, total variance minimization, and image quilting. Experiments on ImageNet show that total variance minimization and image quilting are highly effective defenses, especially when the network is trained on transformed images. These defenses are non-differentiable and inherently random, making it difficult for adversaries to bypass them. The best defense eliminates 60% of strong gray-box and 90% of strong black-box attacks using major attack methods. The paper discusses the problem of adversarial examples, which are inputs that are slightly perturbed to cause a classifier to make incorrect predictions. It presents several adversarial attack methods, including the fast gradient sign method (FGSM), DeepFool, and the Carlini-Wagner (CW-L2) attack. The study evaluates the effectiveness of different image transformations in countering these attacks, particularly when the convolutional network is trained on transformed images. The paper also compares the effectiveness of model-agnostic defenses, such as image transformations, with model-specific defenses. It shows that image transformations can significantly reduce the success rate of adversarial attacks, especially in gray-box and black-box settings. The best defenses, based on total variance minimization and image quilting, are non-differentiable and inherently random, making them robust against adversarial attacks. These defenses are effective in reducing the success rate of attacks, even when the adversary has information about the defense strategy. The experiments demonstrate that image transformations can significantly improve the robustness of image classification systems against adversarial examples. The results show that the best defenses can eliminate a large percentage of adversarial attacks, particularly in gray-box settings. The study also compares the effectiveness of different defenses with prior work, showing that image transformations are more effective than ensemble adversarial training in many cases. The paper concludes that image transformations, particularly total variance minimization and image quilting, are strong defenses against adversarial examples.This paper investigates strategies to defend against adversarial examples in image classification systems by transforming inputs before feeding them to the classifier. The study explores various image transformations, including bit-depth reduction, JPEG compression, total variance minimization, and image quilting. Experiments on ImageNet show that total variance minimization and image quilting are highly effective defenses, especially when the network is trained on transformed images. These defenses are non-differentiable and inherently random, making it difficult for adversaries to bypass them. The best defense eliminates 60% of strong gray-box and 90% of strong black-box attacks using major attack methods. The paper discusses the problem of adversarial examples, which are inputs that are slightly perturbed to cause a classifier to make incorrect predictions. It presents several adversarial attack methods, including the fast gradient sign method (FGSM), DeepFool, and the Carlini-Wagner (CW-L2) attack. The study evaluates the effectiveness of different image transformations in countering these attacks, particularly when the convolutional network is trained on transformed images. The paper also compares the effectiveness of model-agnostic defenses, such as image transformations, with model-specific defenses. It shows that image transformations can significantly reduce the success rate of adversarial attacks, especially in gray-box and black-box settings. The best defenses, based on total variance minimization and image quilting, are non-differentiable and inherently random, making them robust against adversarial attacks. These defenses are effective in reducing the success rate of attacks, even when the adversary has information about the defense strategy. The experiments demonstrate that image transformations can significantly improve the robustness of image classification systems against adversarial examples. The results show that the best defenses can eliminate a large percentage of adversarial attacks, particularly in gray-box settings. The study also compares the effectiveness of different defenses with prior work, showing that image transformations are more effective than ensemble adversarial training in many cases. The paper concludes that image transformations, particularly total variance minimization and image quilting, are strong defenses against adversarial examples.