Which pairing correctly matches a common defense against adversarial examples with its limitation?

Defenses against adversarial examples often hinge on how well they generalize to unseen threats. Adversarial training trains the model with adversarially perturbed inputs so the model learns to resist those specific perturbations. This approach genuinely increases robustness to perturbations it has encountered during training, making misclassification less likely for those attacks. However, the protection tends to be limited in scope: it doesn’t guarantee resilience against new or different adversaries, especially those with perturbation styles not seen during training. The model can still be vulnerable to unseen attack methods, different perturbation distributions, or larger violations of the input constraints. In practice, this method can also be computationally intensive and may trade off accuracy on clean inputs or require careful tuning to avoid overfitting to the training perturbations. Other defenses often give the illusion of safety (like gradient masking), can be bypassed by adaptive attackers, or are not reliably effective or inexpensive. Therefore, the correct pairing reflects that adversarial training boosts robustness but has limited generalization to unseen adversarial tactics.