{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:15:33Z","timestamp":1775470533840,"version":"3.50.1"},"publisher-location":"Cham","reference-count":48,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030004699","type":"print"},{"value":"9783030004705","type":"electronic"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-030-00470-5_13","type":"book-chapter","created":{"date-parts":[[2018,9,6]],"date-time":"2018-09-06T06:43:19Z","timestamp":1536216199000},"page":"273-294","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":660,"title":["Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks"],"prefix":"10.1007","author":[{"given":"Kang","family":"Liu","sequence":"first","affiliation":[]},{"given":"Brendan","family":"Dolan-Gavitt","sequence":"additional","affiliation":[]},{"given":"Siddharth","family":"Garg","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,9,7]]},"reference":[{"key":"13_CR1","unstructured":"ImageNet large scale visual recognition competition. http:\/\/www.image-net.org\/challenges\/LSVRC\/2012\/ (2012)"},{"key":"13_CR2","unstructured":"Amazon Web Services Inc: Amazon Elastic Compute Cloud (Amazon EC2)"},{"key":"13_CR3","unstructured":"Amazon.com, Inc.: Deep Learning AMI Amazon Linux Version"},{"issue":"3","key":"13_CR4","first-page":"32","volume":"13","author":"S Anwar","year":"2017","unstructured":"Anwar, S.: Structured pruning of deep convolutional neural networks. ACM J. Emerg. Technol. Comput. Syst. (JETC) 13(3), 32 (2017)","journal-title":"ACM J. Emerg. Technol. Comput. Syst. (JETC)"},{"key":"13_CR5","unstructured":"Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: Proceedings of the 35th International Conference on Machine Learning, ICML 2018, July 2018. https:\/\/arxiv.org\/abs\/1802.00420"},{"key":"13_CR6","unstructured":"Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate (2014)"},{"key":"13_CR7","doi-asserted-by":"publisher","unstructured":"Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.D.: Can machine learning be secure? In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security. ASIACCS 2006 (2006). https:\/\/doi.org\/10.1145\/1128817.1128824","DOI":"10.1145\/1128817.1128824"},{"key":"13_CR8","unstructured":"Blum, A., Rivest, R.L.: Training a 3-node neural network is NP-complete. In: Advances in neural information processing systems, pp. 494\u2013501 (1989)"},{"key":"13_CR9","unstructured":"Carlini, N., Wagner, D.A.: Defensive distillation is not robust to adversarial examples. CoRR abs\/1607.04311 (2016). http:\/\/arxiv.org\/abs\/1607.04311"},{"key":"13_CR10","unstructured":"Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. ArXiv e-prints, December 2017"},{"key":"13_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1007\/11856214_4","volume-title":"Recent Advances in Intrusion Detection","author":"SP Chung","year":"2006","unstructured":"Chung, S.P., Mok, A.K.: Allergy attack against automatic signature generation. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 61\u201380. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11856214_4"},{"key":"13_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1007\/978-3-540-74320-0_13","volume-title":"Recent Advances in Intrusion Detection","author":"SP Chung","year":"2007","unstructured":"Chung, S.P., Mok, A.K.: Advanced allergy attacks: does a corpus really help? In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 236\u2013255. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-74320-0_13"},{"key":"13_CR13","unstructured":"Dhillon, G.S., et al.: Stochastic activation pruning for robust adversarial defense. In: International Conference on Learning Representations (2018). https:\/\/openreview.net\/forum?id=H1uR4GZRZ"},{"key":"13_CR14","doi-asserted-by":"publisher","unstructured":"Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of the 13th ACM Conference on Computer and Communications Security. CCS 2006 (2006). https:\/\/doi.org\/10.1145\/1180405.1180414","DOI":"10.1145\/1180405.1180414"},{"key":"13_CR15","unstructured":"Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: USENIX-SS 2006 Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15 (2006)"},{"key":"13_CR16","unstructured":"Google Inc: Google Cloud Machine Learning Engine. https:\/\/cloud.google.com\/ml-engine\/"},{"key":"13_CR17","doi-asserted-by":"crossref","unstructured":"Graves, A., Mohamed, A.R., Hinton, G.: Speech recognition with deep recurrent neural networks. In: 2013 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 6645\u20136649. IEEE (2013)","DOI":"10.1109\/ICASSP.2013.6638947"},{"key":"13_CR18","unstructured":"Gu, T., Garg, S., Dolan-Gavitt, B.: BadNets: identifying vulnerabilities in the machine learning model supply chain. In: NIPS Machine Learning and Computer Security Workshop (2017). https:\/\/arxiv.org\/abs\/1708.06733"},{"key":"13_CR19","unstructured":"Han, S., Mao, H., Dally, W.J.: Deep compression: compressing deep neural networks with pruning, trained quantization and huffman coding. In: International Conference on Learning Representations (ICLR) (2016)"},{"key":"13_CR20","unstructured":"He, W., Wei, J., Chen, X., Carlini, N., Song, D.: Adversarial example defense: ensembles of weak defenses are not strong. In: 11th USENIX Workshop on Offensive Technologies (WOOT 2017). USENIX Association, Vancouver, BC (2017). https:\/\/www.usenix.org\/conference\/woot17\/workshop-program\/presentation\/he"},{"key":"13_CR21","unstructured":"Hermann, K.M., Blunsom, P.: Multilingual distributed representations without word alignment. In: Proceedings of ICLR, April 2014. http:\/\/arxiv.org\/abs\/1312.6173"},{"key":"13_CR22","doi-asserted-by":"crossref","unstructured":"Iandola, F.N., Moskewicz, M.W., Ashraf, K., Keutzer, K.: FireCaffe: near-linear acceleration of deep neural network training on compute clusters. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2592\u20132600 (2016)","DOI":"10.1109\/CVPR.2016.284"},{"key":"13_CR23","unstructured":"Karlberger, C., Bayler, G., Kruegel, C., Kirda, E.: Exploiting redundancy in natural language to penetrate bayesian spam filters. In: Proceedings of the First USENIX Workshop on Offensive Technologies. WOOT 2007 (2007)"},{"key":"13_CR24","unstructured":"Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097\u20131105 (2012)"},{"key":"13_CR25","unstructured":"Li, H., et al.: Pruning filters for efficient convnets. arXiv preprint arXiv:1608.08710 (2016)"},{"key":"13_CR26","doi-asserted-by":"crossref","unstructured":"Liu, C., Li, B., Vorobeychik, Y., Oprea, A.: Robust linear regression against training data poisoning. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 91\u2013102. ACM (2017)","DOI":"10.1145\/3128572.3140447"},{"key":"13_CR27","doi-asserted-by":"crossref","unstructured":"Liu, Y., et al.: Trojaning attack on neural networks. In: 25nd Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18\u201321 February 2018. The Internet Society (2018)","DOI":"10.14722\/ndss.2018.23291"},{"key":"13_CR28","unstructured":"Liu, Y., Xie, Y., Srivastava, A.: Neural trojans. CoRR abs\/1710.00942 (2017). http:\/\/arxiv.org\/abs\/1710.00942"},{"key":"13_CR29","doi-asserted-by":"publisher","unstructured":"Lowd, D., Meek, C.: Adversarial learning. In: Proceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery in Data Mining. KDD 2005, pp. 641\u2013647. ACM, New York (2005). https:\/\/doi.org\/10.1145\/1081870.1081950","DOI":"10.1145\/1081870.1081950"},{"key":"13_CR30","unstructured":"Lowd, D., Meek, C.: Good word attacks on statistical spam filters. In: Proceedings of the Conference on Email and Anti-Spam (CEAS) (2005)"},{"key":"13_CR31","unstructured":"Microsoft Corporation: Azure Batch AI Training. https:\/\/batchaitraining.azure.com\/"},{"key":"13_CR32","doi-asserted-by":"crossref","unstructured":"M\u00f8gelmose, A., Liu, D., Trivedi, M.M.: Traffic sign detection for us roads: remaining challenges and a case for tracking. In: 2014 IEEE 17th International Conference on Intelligent Transportation Systems (ITSC), pp. 1394\u20131399. IEEE (2014)","DOI":"10.1109\/ITSC.2014.6957882"},{"key":"13_CR33","unstructured":"Molchanov, P., et al.: Pruning convolutional neural networks for resource efficient inference (2016)"},{"key":"13_CR34","unstructured":"Mu\u00f1oz-Gonz\u00e1lez, L., et al.: Towards poisoning of deep learning algorithms with back-gradient optimization. CoRR abs\/1708.08689 (2017). http:\/\/arxiv.org\/abs\/1708.08689"},{"key":"13_CR35","unstructured":"Nelson, B., et al.: Exploiting machine learning to subvert your spam filter. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. LEET 2008, pp. 7:1\u20137:9. USENIX Association, Berkeley (2008)"},{"key":"13_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1007\/11856214_5","volume-title":"Recent Advances in Intrusion Detection","author":"J Newsome","year":"2006","unstructured":"Newsome, J., Karp, B., Song, D.: Paragraph: thwarting signature learning by training maliciously. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 81\u2013105. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11856214_5"},{"key":"13_CR37","doi-asserted-by":"publisher","unstructured":"Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 582\u2013597, May 2016. https:\/\/doi.org\/10.1109\/SP.2016.41","DOI":"10.1109\/SP.2016.41"},{"key":"13_CR38","unstructured":"Ren, S., He, K., Girshick, R., Sun, J.: Faster R-CNN: towards real-time object detection with region proposal networks. In: Advances in Neural Information Processing Systems, pp. 91\u201399 (2015)"},{"key":"13_CR39","unstructured":"Suciu, O., Marginean, R., Kaya, Y., Daum\u00e9 III, H., Dumitras, T.: When does machine learning FAIL? Generalized transferability for evasion and poisoning attacks. In: 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore (2018). https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/suciu"},{"key":"13_CR40","doi-asserted-by":"crossref","unstructured":"Sun, Y., Wang, X., Tang, X.: Deep learning face representation from predicting 10,000 classes. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1891\u20131898 (2014)","DOI":"10.1109\/CVPR.2014.244"},{"key":"13_CR41","doi-asserted-by":"crossref","unstructured":"Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection. RAID 2002 (2002)","DOI":"10.1007\/3-540-36084-0_4"},{"key":"13_CR42","doi-asserted-by":"crossref","unstructured":"Tung, F., Muralidharan, S., Mori, G.: Fine-pruning: joint fine-tuning and compression of a convolutional network with Bayesian optimization. In: British Machine Vision Conference (BMVC) (2017)","DOI":"10.5244\/C.31.115"},{"key":"13_CR43","doi-asserted-by":"publisher","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. CCS 2002 (2002). https:\/\/doi.org\/10.1145\/586110.586145","DOI":"10.1145\/586110.586145"},{"key":"13_CR44","unstructured":"Wittel, G.L., Wu, S.F.: On attacking statistical spam filters. In: Proceedings of the Conference on Email and Anti-Spam (CEAS), Mountain View, CA, USA (2004)"},{"key":"13_CR45","doi-asserted-by":"publisher","unstructured":"Wolf, L., Hassner, T., Maoz, I.: Face recognition in unconstrained videos with matched background similarity. In: CVPR 2011, pp. 529\u2013534, June 2011. https:\/\/doi.org\/10.1109\/CVPR.2011.5995566","DOI":"10.1109\/CVPR.2011.5995566"},{"key":"13_CR46","unstructured":"Xiao, H., Rasul, K., Vollgraf, R.: Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. CoRR abs\/1708.07747 (2017). http:\/\/arxiv.org\/abs\/1708.07747"},{"key":"13_CR47","unstructured":"Yosinski, J., Clune, J., Bengio, Y., Lipson, H.: How transferable are features in deep neural networks? In: Advances in Neural Information Processing Systems, pp. 3320\u20133328 (2014)"},{"key":"13_CR48","doi-asserted-by":"crossref","unstructured":"Yu, J., et al.: Scalpel: Customizing DNN pruning to the underlying hardware parallelism. In: Proceedings of the 44th Annual International Symposium on Computer Architecture, pp. 548\u2013560. ACM (2017)","DOI":"10.1145\/3140659.3080215"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions, and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-00470-5_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,23]],"date-time":"2019-10-23T16:38:09Z","timestamp":1571848689000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-00470-5_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783030004699","9783030004705"],"references-count":48,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-00470-5_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018]]}}}