{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T08:53:29Z","timestamp":1781772809715,"version":"3.54.5"},"reference-count":403,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T00:00:00Z","timestamp":1775520000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T00:00:00Z","timestamp":1775520000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/501100021171","name":"Basic and Applied Basic Research Foundation of Guangdong Province","doi-asserted-by":"publisher","award":["2024B1515020095"],"award-info":[{"award-number":["2024B1515020095"]}],"id":[{"id":"10.13039\/501100021171","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62076213"],"award-info":[{"award-number":["62076213"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100017610","name":"Shenzhen Science and Technology Innovation Program","doi-asserted-by":"publisher","award":["RCYX20210609103057050"],"award-info":[{"award-number":["RCYX20210609103057050"]}],"id":[{"id":"10.13039\/501100017610","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100017610","name":"Shenzhen Science and Technology Innovation Program","doi-asserted-by":"publisher","award":["JCYJ20240813113608011"],"award-info":[{"award-number":["JCYJ20240813113608011"]}],"id":[{"id":"10.13039\/501100017610","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Longgang District Key Laboratory of Intelligent Digital Economy Security","award":["62471420"],"award-info":[{"award-number":["62471420"]}]},{"name":"CCF-Tencent Rhino-Bird Open Research Fund"},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62176025"],"award-info":[{"award-number":["62176025"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U21B2045"],"award-info":[{"award-number":["U21B2045"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int J Comput Vis"],"published-print":{"date-parts":[[2026,5]]},"DOI":"10.1007\/s11263-025-02692-0","type":"journal-article","created":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T02:20:40Z","timestamp":1775528440000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Attacks in Adversarial Machine Learning: A Systematic Survey from the Lifecycle Perspective"],"prefix":"10.1007","volume":"134","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2183-5990","authenticated-orcid":false,"given":"Baoyuan","family":"Wu","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zihao","family":"Zhu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Li","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Qingshan","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhaofeng","family":"He","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Siwei","family":"Lyu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2026,4,7]]},"reference":[{"key":"2692_CR1","unstructured":"Adi, Y., Baum, C., Cisse, M., Pinkas, B., & Keshet, J. (2018). Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In: USENIX Security, pp. 1615\u20131631."},{"key":"2692_CR2","doi-asserted-by":"crossref","unstructured":"Agarwal, A., Singh, R., Vatsa, M., & Ratha, N. (2018). Are image-agnostic universal adversarial perturbations for face recognition difficult to detect? In: IEEE BTAS.","DOI":"10.1109\/BTAS.2018.8698548"},{"key":"2692_CR3","doi-asserted-by":"crossref","unstructured":"Agoyan, M., Dutertre, J.-M., Mirbaha, A.-P., Naccache, D., Ribotta, A.-L., & Tria, A. (2010). How to flip a bit? In: IOLTS.","DOI":"10.1109\/IOLTS.2010.5560194"},{"issue":"1","key":"2692_CR4","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1109\/T-C.1974.223784","volume":"100","author":"N Ahmed","year":"1974","unstructured":"Ahmed, N., Natarajan, T., & Rao, K. R. (1974). Discrete cosine transform. IEEE Transactions on Computers, 100(1), 90\u201393.","journal-title":"IEEE Transactions on Computers"},{"key":"2692_CR5","doi-asserted-by":"publisher","first-page":"14410","DOI":"10.1109\/ACCESS.2018.2807385","volume":"6","author":"N Akhtar","year":"2018","unstructured":"Akhtar, N., & Mian, A. (2018). Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access, 6, 14410\u201314430.","journal-title":"IEEE Access"},{"key":"2692_CR6","unstructured":"Al-Dujaili, A., & O\u2019Reilly, U.-M. (2019). Sign bits are all you need for black-box attacks. In: ICLR."},{"key":"2692_CR7","doi-asserted-by":"crossref","unstructured":"Andriushchenko, M., Croce, F., Flammarion, N., & Hein, M. (2020). Square attack: a query-efficient black-box adversarial attack via random search. In: ECCV.","DOI":"10.1007\/978-3-030-58592-1_29"},{"issue":"3","key":"2692_CR8","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1109\/4236.935180","volume":"5","author":"D Artz","year":"2001","unstructured":"Artz, D. (2001). Digital steganography: Hiding data within data. IEEE Internet Computing, 5(3), 75\u201380.","journal-title":"IEEE Internet Computing"},{"key":"2692_CR9","unstructured":"Athalye, A., Engstrom, L., Ilyas, A., & Kwok, K. (2018). Synthesizing robust adversarial examples. In: ICML."},{"key":"2692_CR10","unstructured":"Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., & Shmatikov, V. (2020). How to backdoor federated learning. In: AISTATS."},{"key":"2692_CR11","doi-asserted-by":"crossref","unstructured":"Bai, J., Gao, K., Min, S., Xia, S.-T., Li, Z., & Liu, W. (2024). Badclip: Trigger-aware prompt learning for backdoor attacks on clip. In: CVPR, pp. 24239\u201324250.","DOI":"10.1109\/CVPR52733.2024.02288"},{"key":"2692_CR12","unstructured":"Bai, J., Wu, B., Zhang, Y., Li, Y., Li, Z., & Xia, S.-T. (2021). Targeted attack against deep neural networks via flipping limited weight bits. In: ICLR."},{"issue":"11","key":"2692_CR13","doi-asserted-by":"publisher","first-page":"13653","DOI":"10.1109\/TPAMI.2023.3296408","volume":"45","author":"J Bai","year":"2023","unstructured":"Bai, J., Wu, B., Li, Z., & Xia, S.-T. (2023). Versatile weight attack via flipping limited bits. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(11), 13653\u201313665.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR14","unstructured":"Baluja, S. (2017). Hiding images in plain sight: Deep steganography. In: NeurIPS ."},{"key":"2692_CR15","doi-asserted-by":"crossref","unstructured":"Bansal, H., Singhi, N., Yang, Y., Yin, F., Grover, A., & Chang, K.-W. (2023) Cleanclip: Mitigating data poisoning attacks in multimodal contrastive learning. In: ICCV.","DOI":"10.1109\/ICCV51070.2023.00017"},{"key":"2692_CR16","doi-asserted-by":"crossref","unstructured":"Barni, M., Kallas, K., & Tondi, B. (2019). A new backdoor attack in cnns by training set corruption without label poisoning. In: ICIP.","DOI":"10.1109\/ICIP.2019.8802997"},{"key":"2692_CR17","unstructured":"Bhagoji, A.N., Chakraborty, S., Mittal, P., & Calo, S. (2019). Analyzing federated learning through an adversarial lens. In: ICML."},{"key":"2692_CR18","volume-title":"Pattern recognition and machine learning","author":"CM Bishop","year":"2006","unstructured":"Bishop, C. M., & Nasrabadi, N. M. (2006). Pattern recognition and machine learning. Berlin: Springer."},{"key":"2692_CR19","doi-asserted-by":"crossref","unstructured":"Bober-Irizar, M., Shumailov, I., Zhao, Y., Mullins, R., & Papernot, N. (2023). Architectural backdoors in neural networks. In: CVPR.","DOI":"10.1109\/CVPR52729.2023.02356"},{"issue":"1","key":"2692_CR20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1561\/2200000016","volume":"3","author":"S Boyd","year":"2011","unstructured":"Boyd, S., Parikh, N., Chu, E., Peleato, B., Eckstein, J., et al. (2011). Distributed optimization and statistical learning via the alternating direction method of multipliers. Foundations and Trends in Machine learning, 3(1), 1\u2013122.","journal-title":"Foundations and Trends in Machine learning"},{"key":"2692_CR21","unstructured":"Brendel, W., Rauber, J., & Bethge, M. (2018). Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In: ICLR."},{"key":"2692_CR22","doi-asserted-by":"crossref","unstructured":"Byun, J., Cho, S., Kwon, M.-J., Kim, H.-S., & Kim, C. (2022). Improving the transferability of targeted adversarial examples through object-based diverse input. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01481"},{"key":"2692_CR23","first-page":"5348","volume":"35","author":"Z Cai","year":"2022","unstructured":"Cai, Z., Song, C., Krishnamurthy, S., Roy-Chowdhury, A., & Asif, M. S. (2022). Black-box attacks via surrogate ensemble search. Advances in Neural Information Processing Systems, 35, 5348.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR24","doi-asserted-by":"publisher","first-page":"37068","DOI":"10.52202\/068431-2686","volume":"35","author":"X Cai","year":"2022","unstructured":"Cai, X., Xu, S., Zhang, Y., & Yuan, X. (2022). Badprompt: backdoor attacks on continuous prompts. Advances in Neural Information Processing Systems, 35, 37068.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR25","unstructured":"Cao, B., Ren, Y., Zhao, H., et\u00a0al. (2024). An image is worth 1000 lies: Transferability of adversarial images across prompts on v-lms. In: ICLR."},{"key":"2692_CR26","unstructured":"Carlini, N., & Terzis, A. (2022). Poisoning and backdooring contrastive learning. In: ICLR."},{"key":"2692_CR27","doi-asserted-by":"crossref","unstructured":"Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In: IEEE S&P.","DOI":"10.1109\/SP.2017.49"},{"key":"2692_CR28","doi-asserted-by":"crossref","unstructured":"Carlini, N., & Wagner, D. (2018). Audio adversarial examples: Targeted attacks on speech-to-text. In: IEEE S&P Workshops.","DOI":"10.1109\/SPW.2018.00009"},{"key":"2692_CR29","first-page":"61478","volume":"36","author":"N Carlini","year":"2024","unstructured":"Carlini, N., Nasr, M., Choquette-Choo, C. A., Jagielski, M., Gao, I., Koh, P. W. W., Ippolito, D., Tramer, F., & Schmidt, L. (2024). Are aligned neural networks adversarially aligned? Advances in Neural Information Processing Systems, 36, 61478.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR30","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-68830-3","volume-title":"Advances in differential evolution","author":"UK Chakraborty","year":"2008","unstructured":"Chakraborty, U. K. (2008). Advances in differential evolution. Berlin: Springer."},{"key":"2692_CR31","doi-asserted-by":"crossref","unstructured":"Chan, A., Tay, Y., Ong, Y.-S., & Zhang, A. (2020). Poison attacks against text datasets with conditional adversarially regularized autoencoder. In: Findings of EMNLP.","DOI":"10.18653\/v1\/2020.findings-emnlp.373"},{"issue":"7","key":"2692_CR32","doi-asserted-by":"publisher","first-page":"1583","DOI":"10.1016\/S0031-3203(02)00289-3","volume":"36","author":"C-C Chang","year":"2003","unstructured":"Chang, C.-C., Hsiao, J.-Y., & Chan, C.-S. (2003). Finding optimal least-significant-bit substitution in image hiding by dynamic programming strategy. Pattern Recognition, 36(7), 1583\u20131595.","journal-title":"Pattern Recognition"},{"key":"2692_CR33","doi-asserted-by":"crossref","unstructured":"Chattopadhyay, N., & Chattopadhyay, A. (2021). Rowback: Robust watermarking for neural networks using backdoors. In: ICMLA.","DOI":"10.1109\/ICMLA52953.2021.00274"},{"key":"2692_CR34","doi-asserted-by":"crossref","unstructured":"Chen, J., & Gu, Q. (2020). Rays: A ray searching method for hard-label adversarial attack. In: ACM SIGKDD.","DOI":"10.1145\/3394486.3403225"},{"key":"2692_CR35","doi-asserted-by":"crossref","unstructured":"Chen, S., Chen, H., Haque, M., Liu, C., & Yang, W. (2023). The dark side of dynamic routing neural networks: Towards efficiency backdoor injection. In: CVPR.","DOI":"10.1109\/CVPR52729.2023.02355"},{"key":"2692_CR36","doi-asserted-by":"crossref","unstructured":"Chen, S.-T., Cornelius, C., Martin, J., & Chau, D.H.P. (2018). Shapeshifter: Robust physical adversarial attack on faster r-cnn object detector. In: ECML PKDD.","DOI":"10.1007\/978-3-030-10925-7_4"},{"key":"2692_CR37","doi-asserted-by":"crossref","unstructured":"Chen, H., Fu, C., Zhao, J., & Koushanfar, F. (2021). Proflip: Targeted trojan attack with progressive bit flips. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00762"},{"key":"2692_CR38","unstructured":"Chen, C.-L., Golubchik, L., & Paolieri, M. (2020). Backdoor attacks on federated meta-learning. In: NeurIPS."},{"key":"2692_CR39","doi-asserted-by":"crossref","unstructured":"Chen, X., Jiang, T., Zhu, Y., et\u00a0al. (2023). On the adversarial robustness of multi-modal foundation models. In: ICCV Workshop on Adversarial Robustness of Vision Models.","DOI":"10.1016\/B978-0-12-824020-5.00027-2"},{"key":"2692_CR40","doi-asserted-by":"crossref","unstructured":"Chen, J., Jordan, M.I., & Wainwright, M.J. (2020). Hopskipjumpattack: A query-efficient decision-based attack. In: IEEE S&P, pp. 1277\u20131294.","DOI":"10.1109\/SP40000.2020.00045"},{"key":"2692_CR41","unstructured":"Chen, X., Liu, C., Li, B., Lu, K., Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526."},{"key":"2692_CR42","doi-asserted-by":"crossref","unstructured":"Chen, J., Liu, X., Liang, S., Jia, X., & Xun, Y. (2023). Universal watermark vaccine: Universal adversarial perturbations for watermark protection. In: CVPR.","DOI":"10.1109\/CVPRW59228.2023.00228"},{"key":"2692_CR43","doi-asserted-by":"crossref","unstructured":"Chen, X., Salem, A., Chen, D., Backes, M., Ma, S., Shen, Q., Wu, Z., & Zhang, Y. (2021). Badnl: Backdoor attacks against nlp models with semantic-preserving improvements. In: ACSAC.","DOI":"10.1145\/3485832.3485837"},{"key":"2692_CR44","doi-asserted-by":"crossref","unstructured":"Chen, W., Song, D., & Li, B. (2023). Trojdiff: Trojan attacks on diffusion models with diverse targets. In: CVPR.","DOI":"10.1109\/CVPR52729.2023.00393"},{"key":"2692_CR45","doi-asserted-by":"crossref","unstructured":"Chen, H., Zhang, H., Chen, P.-Y., Yi, J., & Hsieh, C.-J. (2018). Attacking visual language grounding with adversarial examples: A case study on neural image captioning. In: ACL.","DOI":"10.18653\/v1\/P18-1241"},{"key":"2692_CR46","doi-asserted-by":"crossref","unstructured":"Chen, W., Zhang, Z., Hu, X., & Wu, B. (2020). Boosting decision-based black-box adversarial attacks with random sign flip. In: ECCV.","DOI":"10.1007\/978-3-030-58555-6_17"},{"key":"2692_CR47","unstructured":"Cheng, S., Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Improving black-box adversarial attacks with a transfer-based prior. In: NeurIPS."},{"key":"2692_CR48","unstructured":"Cheng, M., Le, T., Chen, P.-Y., Zhang, H., Yi, J., & Hsieh, C.-J. (2019). Query-efficient hard-label black-box attack: An optimization-based approach. In: ICLR."},{"key":"2692_CR49","doi-asserted-by":"publisher","first-page":"1148","DOI":"10.1609\/aaai.v35i2.16201","volume":"35","author":"S Cheng","year":"2021","unstructured":"Cheng, S., Liu, Y., Ma, S., & Zhang, X. (2021). Deep feature space trojan attack of neural networks by controlled detoxification. Proceedings of the AAAI Conference on Artificial Intelligence, 35, 1148.","journal-title":"Proceedings of the AAAI Conference on Artificial Intelligence"},{"key":"2692_CR50","doi-asserted-by":"publisher","first-page":"14929","DOI":"10.52202\/068431-1086","volume":"35","author":"S Chen","year":"2022","unstructured":"Chen, S., Huang, Z., Tao, Q., Wu, Y., Xie, C., & Huang, X. (2022). Adversarial attack on attackers: Post-process to mitigate black-box score-based query attacks. Advances in Neural Information Processing Systems, 35, 14929.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR51","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1016\/j.ins.2020.04.019","volume":"536","author":"J Chen","year":"2020","unstructured":"Chen, J., Zheng, H., Xiong, H., Shen, S., & Su, M. (2020). Mag-gan: Massive attack generator via gan. Information Sciences, 536, 67\u201390.","journal-title":"Information Sciences"},{"key":"2692_CR52","doi-asserted-by":"crossref","unstructured":"Chou, S.-Y., Chen, P.-Y., & Ho, T.-Y. (2023). How to backdoor diffusion models? In: CVPR.","DOI":"10.1109\/CVPR52729.2023.00391"},{"key":"2692_CR53","first-page":"33912","volume":"36","author":"S-Y Chou","year":"2023","unstructured":"Chou, S.-Y., Chen, P.-Y., & Ho, T.-Y. (2023). Villandiffusion: A unified backdoor attack framework for diffusion models. Advances in Neural Information Processing Systems, 36, 33912.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR54","doi-asserted-by":"crossref","unstructured":"Croce, F., & Hein, M. (2019). Sparse and imperceivable adversarial attacks. In: ICCV.","DOI":"10.1109\/ICCV.2019.00482"},{"key":"2692_CR55","unstructured":"Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML."},{"key":"2692_CR56","unstructured":"Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML."},{"key":"2692_CR57","unstructured":"Croce, F., Andriushchenko, M., Sehwag, V., Debenedetti, E., Flammarion, N., Chiang, M., Mittal, P., & Hein, M. (2021). Robustbench: a standardized adversarial robustness benchmark. In: NeurIPS D&B Track."},{"issue":"9","key":"2692_CR58","doi-asserted-by":"publisher","first-page":"10850","DOI":"10.1109\/TPAMI.2023.3261988","volume":"45","author":"F-A Croitoru","year":"2023","unstructured":"Croitoru, F.-A., Hondru, V., Ionescu, R. T., & Shah, M. (2023). Diffusion models in vision: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(9), 10850\u201310869.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR59","doi-asserted-by":"crossref","unstructured":"Cui, X., Aparcedo, A., Jang, Y.K., & Lim, S.-N. (2024). On the robustness of large multimodal models against image adversarial attacks. In: CVPR.","DOI":"10.1109\/CVPR52733.2024.02325"},{"key":"2692_CR60","first-page":"5009","volume":"35","author":"G Cui","year":"2022","unstructured":"Cui, G., Yuan, L., He, B., Chen, Y., Liu, Z., & Sun, M. (2022). A unified evaluation of textual backdoor learning: Frameworks and benchmarks. IAdvances in Neural Information Processing Systems, 35, 5009.","journal-title":"IAdvances in Neural Information Processing Systems"},{"key":"2692_CR61","doi-asserted-by":"crossref","unstructured":"Dang, P., Hu, X., Li, D., Zhang, R., Guo, Q., & Xu, K. (2025). Diffzoo: A purely query-based black-box attack for red-teaming text-to-image generative model via zeroth order optimization. In: Findings of NAACL, pp. 17\u201331.","DOI":"10.18653\/v1\/2025.findings-naacl.2"},{"key":"2692_CR62","doi-asserted-by":"crossref","unstructured":"Deb, D., Zhang, J., & Jain, A.K. (2019). Advfaces: Adversarial face synthesis. In: IJCB.","DOI":"10.1109\/IJCB48548.2020.9304898"},{"key":"2692_CR63","unstructured":"Ding, G.W., Wang, L., & Jin, X. (2019). AdverTorch v0.1: An adversarial robustness toolbox based on pytorch. arXiv preprint arXiv:1902.07623."},{"issue":"4","key":"2692_CR64","first-page":"1967","volume":"34","author":"X Ding","year":"2020","unstructured":"Ding, X., Fang, H., Zhang, Z., Choo, K.-K.R., & Jin, H. (2020). Privacy-preserving feature extraction via adversarial training. IEEE Transactions on Knowledge and Data Engineering, 34(4), 1967\u20131979.","journal-title":"IEEE Transactions on Knowledge and Data Engineering"},{"key":"2692_CR65","doi-asserted-by":"crossref","unstructured":"Doan, K., Lao, Y., Zhao, W., & Li, P. (2021). Lira: Learnable, imperceptible and robust backdoor attacks. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.01175"},{"key":"2692_CR66","first-page":"18944","volume":"34","author":"K Doan","year":"2021","unstructured":"Doan, K., Lao, Y., & Li, P. (2021). Backdoor attack with imperceptible input and latent modification. Advances in Neural Information Processing Systems, 34, 18944.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR67","doi-asserted-by":"publisher","first-page":"38260","DOI":"10.52202\/068431-2772","volume":"35","author":"KD Doan","year":"2022","unstructured":"Doan, K. D., Lao, Y., & Li, P. (2022). Marksman backdoor: Backdoor attacks with arbitrary target class. Advances in Neural Information Processing Systems, 35, 38260.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR68","doi-asserted-by":"crossref","unstructured":"Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., & Li, J. (2018). Boosting adversarial attacks with momentum. In: CVPR.","DOI":"10.1109\/CVPR.2018.00957"},{"key":"2692_CR69","doi-asserted-by":"crossref","unstructured":"Dong, Y., Pang, T., Su, H., & Zhu, J. (2019). Evading defenses to transferable adversarial examples by translation-invariant attacks. In: CVPR.","DOI":"10.1109\/CVPR.2019.00444"},{"key":"2692_CR70","doi-asserted-by":"crossref","unstructured":"Dong, Y., Su, H., Wu, B., Li, Z., Liu, W., Zhang, T., & Zhu, J. (2019). Efficient decision-based black-box adversarial attacks on face recognition. In: CVPR.","DOI":"10.1109\/CVPR.2019.00790"},{"key":"2692_CR71","unstructured":"Dong, Y., Wang, T., Li, Y., & Li, B. (2024). Adversarial illusions in multi-modal embeddings. In: USENIX Security."},{"issue":"12","key":"2692_CR72","doi-asserted-by":"publisher","first-page":"9536","DOI":"10.1109\/TPAMI.2021.3126733","volume":"44","author":"Y Dong","year":"2022","unstructured":"Dong, Y., Cheng, S., Pang, T., Su, H., & Zhu, J. (2022). Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(12), 9536\u20139548.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR73","doi-asserted-by":"crossref","unstructured":"Douceur, J.R. (2002). The sybil attack. In: International Workshop on Peer-to-peer Systems. Springer.","DOI":"10.1007\/3-540-45748-8_24"},{"key":"2692_CR74","unstructured":"Du, J., Zhang, H., Zhou, J.T., Yang, Y., & Feng, J. (2020). Query-efficient meta attack to deep neural networks. In: ICLR."},{"key":"2692_CR75","doi-asserted-by":"crossref","unstructured":"Du, W., Zhao, Y., Li, B., Liu, G., & Wang, S. (2022). Ppt: Backdoor attacks on pre-trained models via poisoned prompt tuning. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/96"},{"key":"2692_CR76","doi-asserted-by":"crossref","unstructured":"Du, W., Zhao, Y., Li, B., Liu, G., & Wang, S. (2022). Ppt: Backdoor attacks on pre-trained models via poisoned prompt tuning. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/96"},{"key":"2692_CR77","doi-asserted-by":"crossref","unstructured":"Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., & Yang, Y. (2020). Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00108"},{"key":"2692_CR78","unstructured":"Engstrom, L., Tran, B., Tsipras, D., Schmidt, L., & Madry, A. (2019). Exploring the landscape of spatial robustness. In: ICML."},{"key":"2692_CR79","doi-asserted-by":"publisher","first-page":"1561","DOI":"10.1109\/TIFS.2023.3275737","volume":"19","author":"A Esmaeili","year":"2023","unstructured":"Esmaeili, A., Edraki, M., Rahnavard, N., Mian, A., & Shah, M. (2023). Low-rank and sparse decomposition for low-query decision-based adversarial attacks. IEEE Transactions on Information Forensics and Security, 19, 1561.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR80","unstructured":"Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Tram\u00e8r, F., Prakash, A., Kohno, T., & Song, D. (2018). Physical adversarial examples for object detectors. In: USENIX Conference on Offensive Technologies."},{"key":"2692_CR81","doi-asserted-by":"crossref","unstructured":"Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., & Song, D. (2018). Robust physical-world attacks on deep learning visual classification. In: CVPR.","DOI":"10.1109\/CVPR.2018.00175"},{"key":"2692_CR82","doi-asserted-by":"crossref","unstructured":"Fan, Y., Wu, B., Li, T., Zhang, Y., Li, M., Li, Z., & Yang, Y. (2020). Sparse adversarial attack via perturbation factorization. In: ECCV.","DOI":"10.1007\/978-3-030-58542-6_3"},{"key":"2692_CR83","doi-asserted-by":"crossref","unstructured":"Fawzi, A., & Frossard, P. (2015). Manitest: Are classifiers really invariant? In: BMVC.","DOI":"10.5244\/C.29.106"},{"issue":"4","key":"2692_CR84","doi-asserted-by":"publisher","first-page":"1133","DOI":"10.1137\/090779346","volume":"40","author":"U Feige","year":"2011","unstructured":"Feige, U., Mirrokni, V. S., & Vondr\u00e1k, J. (2011). Maximizing non-monotone submodular functions. SIAM Journal on Computing, 40(4), 1133\u20131153.","journal-title":"SIAM Journal on Computing"},{"key":"2692_CR85","doi-asserted-by":"crossref","unstructured":"Feng, L., Li, S., Qian, Z., & Zhang, X. (2022). Stealthy backdoor attack with adversarial training. In: ICASSP.","DOI":"10.1109\/ICASSP43922.2022.9746008"},{"key":"2692_CR86","doi-asserted-by":"crossref","unstructured":"Feng, Y., Ma, B., Zhang, J., Zhao, S., Xia, Y., & Tao, D. (2022). Fiba: Frequency-injection based backdoor attack in medical image analysis. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.02021"},{"key":"2692_CR87","doi-asserted-by":"crossref","unstructured":"Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z. & Xia, S. (2022). Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01467"},{"key":"2692_CR88","doi-asserted-by":"crossref","unstructured":"Feng, W., Wu, B., Zhang, T., Zhang, Y., & Zhang, Y. (2021). Meta-attack: Class-agnostic and model-agnostic physical adversarial attack. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00769"},{"key":"2692_CR89","unstructured":"Fung, C., Yoon, C.J., & Beschastnikh, I. (2020). The limitations of federated learning in sybil settings. In: 23rd International symposium on research in attacks, intrusions and defenses."},{"key":"2692_CR90","unstructured":"Gao, Y., Doan, B.G., Zhang, Z., Ma, S., Zhang, J., Fu, A., Nepal, S., & Kim, H. (2020). Backdoor attacks and countermeasures on deep learning: A comprehensive review. arXiv preprint arXiv:2007.10760."},{"key":"2692_CR91","doi-asserted-by":"publisher","first-page":"1267","DOI":"10.1109\/TIFS.2023.3333687","volume":"19","author":"K Gao","year":"2023","unstructured":"Gao, K., Bai, J., Wu, B., Ya, M., & Xia, S.-T. (2023). Imperceptible and robust backdoor attack in 3d point cloud. IEEE Transactions on Information Forensics and Security, 19, 1267\u20131282.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR92","doi-asserted-by":"crossref","unstructured":"Garg, S., Kumar, A., Goel, V., & Liang, Y. (2020). Can adversarial weight perturbations inject neural backdoors. In: ACM CIKM.","DOI":"10.1145\/3340531.3412130"},{"key":"2692_CR93","doi-asserted-by":"crossref","unstructured":"Gatys, L.A., Ecker, A.S., & Bethge, M. (2016). Image style transfer using convolutional neural networks. In: CVPR, pp. 2414\u20132423.","DOI":"10.1109\/CVPR.2016.265"},{"key":"2692_CR94","doi-asserted-by":"publisher","first-page":"70141","DOI":"10.52202\/075280-3073","volume":"36","author":"Z Ge","year":"2023","unstructured":"Ge, Z., Liu, H., Xiaosen, W., Shang, F., & Liu, Y. (2023). Boosting adversarial transferability by achieving flat local maxima. Advances in Neural Information Processing Systems, 36, 70141.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR95","doi-asserted-by":"crossref","unstructured":"Ghavami, B., Movi, S., Fang, Z., & Shannon, L. (2022). Stealthy attack on algorithmic-protected dnns via smart bit flipping. In: ISQED.","DOI":"10.1109\/ISQED54688.2022.9806152"},{"key":"2692_CR96","doi-asserted-by":"crossref","unstructured":"Gong, X., Chen, Y., Wang, Q., Huang, H., Meng, L., Shen, C., & Zhang, Q. (2021). Defense-resistant backdoor attacks against deep neural networks in outsourced cloud environment. IEEE JSAC.","DOI":"10.1109\/JSAC.2021.3087237"},{"key":"2692_CR97","unstructured":"Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., & Bengio, Y. (2014). Generative adversarial nets. In: NIPS."},{"key":"2692_CR98","unstructured":"Goodfellow, I., Shlens, J. & Szegedy, C. (2015) Explaining and harnessing adversarial examples. In: ICLR."},{"key":"2692_CR99","unstructured":"Goodman, D., Xin, H., Yang, W., Yuesheng, W., Junfeng, X., & Huan, Z. (2020). Advbox: a toolbox to generate adversarial examples that fool neural networks. arXiv preprint arXiv:2001.05574."},{"key":"2692_CR100","doi-asserted-by":"crossref","unstructured":"Guan, W., He, Z., Wang, W., Dong, J., & Peng, B. (2022). Defending against deepfakes with ensemble adversarial perturbation. In: ICPR.","DOI":"10.1109\/ICPR56361.2022.9956501"},{"key":"2692_CR101","doi-asserted-by":"publisher","first-page":"118","DOI":"10.1609\/aaai.v38i1.27762","volume":"38","author":"J Guan","year":"2024","unstructured":"Guan, J., Zhao, Y., Xu, Z., Meng, C., Xu, K., & Zhao, Y. (2024). Adversarial robust safeguard for evading deep facial manipulation. AAAI, 38, 118\u2013126.","journal-title":"AAAI"},{"key":"2692_CR102","doi-asserted-by":"publisher","first-page":"47230","DOI":"10.1109\/ACCESS.2019.2909068","volume":"7","author":"T Gu","year":"2019","unstructured":"Gu, T., Liu, K., Dolan-Gavitt, B., & Garg, S. (2019). Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access, 7, 47230\u201347244.","journal-title":"IEEE Access"},{"key":"2692_CR103","unstructured":"Guo, C., Gardner, J., You, Y., Wilson, A.G., & Weinberger, K. (2019). Simple black-box adversarial attacks. In: ICML."},{"key":"2692_CR104","unstructured":"Guo, Y., Yan, Z., & Zhang, C. (2019). Subspace attack: Exploiting promising subspaces for query-efficient black-box attacks. In: NeurIPS."},{"key":"2692_CR105","first-page":"85","volume":"33","author":"Y Guo","year":"2020","unstructured":"Guo, Y., Li, Q., & Chen, H. (2020). Backpropagating linearly improves transferability of adversarial examples. Advances in Neural Information Processing Systems, 33, 85.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR106","doi-asserted-by":"crossref","unstructured":"Han, X., Xu, G., Zhou, Y., Yang, X., Li, J., & Zhang, T. (2022). Physical backdoor attacks to lane detection systems in autonomous driving. In: ACM Multimedia.","DOI":"10.1145\/3503161.3548171"},{"key":"2692_CR107","unstructured":"Hayase, J., & Oh, S. (2022). Few-shot backdoor attacks via neural tangent kernels. In: ICLR."},{"key":"2692_CR108","first-page":"8068","volume":"35","author":"S Hong","year":"2022","unstructured":"Hong, S., Carlini, N., & Kurakin, A. (2022). Handcrafted backdoors in deep neural networks. Advances in Neural Information Processing Systems, 35, 8068.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR109","doi-asserted-by":"crossref","unstructured":"Hu, H., Salcic, Z., Dobbie, G., Chen, J., Sun, L., & Zhang, X. (2022). Membership inference via backdooring. arXiv preprint arXiv:2206.04823.","DOI":"10.24963\/ijcai.2022\/532"},{"key":"2692_CR110","unstructured":"Huang, Z., & Zhang, T. (2020). Black-box adversarial attack with transferable model-based embedding. In: ICLR."},{"key":"2692_CR111","doi-asserted-by":"crossref","unstructured":"Huang, L., Gao, C., Zhou, Y., Xie, C., Yuille, A.L., Zou, C., & Liu, N. (2020). Universal physical camouflage attacks on object detectors. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00080"},{"key":"2692_CR112","doi-asserted-by":"crossref","unstructured":"Huang, Q., Katsman, I., He, H., Gu, Z., Belongie, S., & Lim, S.-N. (2019). Enhancing adversarial example transferability with an intermediate level attack. In: ICCV.","DOI":"10.1109\/ICCV.2019.00483"},{"key":"2692_CR113","doi-asserted-by":"crossref","unstructured":"Huang, H., Wang, Y., Chen, Z., Zhang, Y., Li, Y., Tang, Z., Chu, W., Chen, J., Lin, W., & Ma, K.-K. (2022) Cmua-watermark: A cross-model universal adversarial watermark for combating deepfakes. In: AAAI.","DOI":"10.1609\/aaai.v36i1.19982"},{"key":"2692_CR114","unstructured":"Huang, Q., Zhang, Z., Liu, Y., & Tang, J. (2024). Stealthy and persistent unalignment on large language models via backdoor injections. In: NAACL."},{"key":"2692_CR115","unstructured":"Hung-Quang, N., Nguyen, N.-H., Nguyen-Tang, T., Wong, K.-S., Thanh-Tung, H., Doan, K.D., et\u00a0al. (2025). Wicked oddities: Selectively poisoning for effective clean-label backdoor attacks. In: ICLR."},{"key":"2692_CR116","doi-asserted-by":"crossref","unstructured":"Huynh, T., Tran, A., Doan, K.D., & Pham, T. (2024). Data poisoning quantization backdoor attack. In: ECCV.","DOI":"10.1007\/978-3-031-72907-2_3"},{"key":"2692_CR117","unstructured":"Ilyas, A., Engstrom, L., & Madry, A. (2019). Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR."},{"key":"2692_CR118","unstructured":"Ilyas, A., Engstrom, L., Athalye, A., & Lin, J. (2018) Black-box adversarial attacks with limited queries and information. In: ICML."},{"key":"2692_CR119","unstructured":"Inkawhich, N., Liang, K., Carin, L., & Chen, Y. (2020). Transferable perturbations of deep feature distributions. In: ICLR."},{"key":"2692_CR120","first-page":"20791","volume":"33","author":"N Inkawhich","year":"2020","unstructured":"Inkawhich, N., Liang, K., Wang, B., Inkawhich, M., Carin, L., & Chen, Y. (2020). Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability. Advances in Neural Information Processing Systems, 33, 20791.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR121","doi-asserted-by":"crossref","unstructured":"Jan, S.T., Messou, J., Lin, Y.-C., Huang, J.-B., & Wang, G. (2019). Connecting the digital and physical world: Improving the robustness of adversarial attacks. In: AAAI, vol. 33.","DOI":"10.1609\/aaai.v33i01.3301962"},{"key":"2692_CR122","first-page":"71029","volume":"36","author":"RD Jha","year":"2023","unstructured":"Jha, R. D., Hayase, J., & Oh, S. (2023). Label poisoning is all you need. Advances in Neural Information Processing Systems, 36, 71029.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR123","doi-asserted-by":"crossref","unstructured":"Jia, X., Gao, S., Guo, Q., Ma, K., Huang, Y., Qin, S., Liu, Y., & Cao, X. (2024). Semantic-aligned adversarial evolution triangle for high-transferability vision-language attack. arXiv preprint arXiv:2411.02669.","DOI":"10.1109\/TPAMI.2025.3581476"},{"key":"2692_CR124","doi-asserted-by":"crossref","unstructured":"Jia, J., Liu, Y., & Gong, N.Z. (2022). Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. In: IEEE S&P, pp. 2043\u20132059.","DOI":"10.1109\/SP46214.2022.9833644"},{"key":"2692_CR125","doi-asserted-by":"crossref","unstructured":"Jiang, W., Li, H., Xu, G., & Zhang, T. (2023). Color backdoor: A robust poisoning attack in color space. In: CVPR.","DOI":"10.1109\/CVPR52729.2023.00786"},{"key":"2692_CR126","doi-asserted-by":"crossref","unstructured":"Joon Oh, S., Fritz, M., & Schiele, B. (2017). Adversarial image perturbation for privacy protection-a game theory perspective. In: ICCV, pp. 1482\u20131491.","DOI":"10.1109\/ICCV.2017.165"},{"key":"2692_CR127","doi-asserted-by":"crossref","unstructured":"Kanbak, C., Moosavi-Dezfooli, S.-M., & Frossard, P. (2018). Geometric robustness of deep networks: analysis and improvement. In: CVPR.","DOI":"10.1109\/CVPR.2018.00467"},{"key":"2692_CR128","unstructured":"Karmon, D., Zoran, D., & Goldberg, Y. (2018). Lavan: Localized and visible adversarial noise. In: ICML."},{"key":"2692_CR129","unstructured":"Kenton, J.D.M.-W.C., & Toutanova, L.K. (2019). Bert: Pre-training of deep bidirectional transformers for language understanding. In: Proceedings of NAACL-HLT."},{"issue":"3","key":"2692_CR130","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1145\/2678373.2665726","volume":"42","author":"Y Kim","year":"2014","unstructured":"Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J. H., Lee, D., Wilkerson, C., Lai, K., & Mutlu, O. (2014). Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. ACM SIGARCH Computer Architecture News, 42(3), 361\u2013372.","journal-title":"ACM SIGARCH Computer Architecture News"},{"key":"2692_CR131","doi-asserted-by":"crossref","unstructured":"Komkov, S., & Petiushko, A. (2021). Advhat: Real-world adversarial attack on arcface face id system. In: ICPR.","DOI":"10.1109\/ICPR48806.2021.9412236"},{"key":"2692_CR132","unstructured":"Kone\u010dn\u1ef3, J., McMahan, H.B., Yu, F.X., Richt\u00e1rik, P., Suresh, A.T., & Bacon, D. (2016). Federated learning: Strategies for improving communication efficiency. In: NIPS Workshop on Private Multi-Party Machine Learning."},{"key":"2692_CR133","doi-asserted-by":"crossref","unstructured":"Kong, Z., Guo, J., Li, A., & Liu, C. (2020). Physgan: Generating physical-world-resilient adversarial examples for autonomous driving. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.01426"},{"key":"2692_CR134","doi-asserted-by":"crossref","unstructured":"Kong, C., Xu, R., Chen, W., Chen, J., & Yin, Z. (2024). Protecting copyright of medical pre-trained language models: Training-free backdoor watermarking. arXiv preprint arXiv:2409.10570.","DOI":"10.1145\/3746027.3755548"},{"issue":"1","key":"2692_CR135","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s44267-024-00066-7","volume":"2","author":"D Kong","year":"2024","unstructured":"Kong, D., Liang, S., Zhu, X., Zhong, Y., & Ren, W. (2024). Patch is enough: Naturalistic adversarial patch against vision-language pre-training models. Visual Intelligence, 2(1), 1\u201310.","journal-title":"Visual Intelligence"},{"key":"2692_CR136","doi-asserted-by":"crossref","unstructured":"Kou, Z., Pei, S., Tian, Y., & Zhang, X. (2023). Character as pixels: A controllable prompt adversarial attacking framework for black-box text guided image generation models. In: IJCAI, pp. 983\u2013990.","DOI":"10.24963\/ijcai.2023\/109"},{"key":"2692_CR137","unstructured":"Krizhevsky, A. (2009). Learning multiple layers of features from tiny images. University of Toronto."},{"key":"2692_CR138","doi-asserted-by":"crossref","unstructured":"Kurakin, A., Goodfellow, I.J., & Bengio, S. (2018). Adversarial examples in the physical world. In: Artificial Intelligence Safety and Security, pp. 99\u2013112.","DOI":"10.1201\/9781351251389-8"},{"key":"2692_CR139","unstructured":"Laidlaw, C., & Feizi, S. (2019). Functional adversarial attacks. In: NeurIPS."},{"key":"2692_CR140","doi-asserted-by":"crossref","unstructured":"Li, Y., Bai, S., Zhou, Y., Xie, C., Zhang, Z., & Yuille, A. (2020). Learning transferable adversarial examples via ghost networks. In: AAAI.","DOI":"10.1609\/aaai.v34i07.6810"},{"key":"2692_CR141","unstructured":"Li, J., Chen, Z., Li, B., & Ma, X. (2023). On evaluating adversarial robustness of large vision-language models. In: NeurIPS."},{"key":"2692_CR142","doi-asserted-by":"crossref","unstructured":"Li, X., Chen, Z., Zhao, Y., Tong, Z., Zhao, Y., Lim, A., & Zhou, J.T. (2021). Pointba: Towards backdoor attacks in 3d point cloud. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.01618"},{"key":"2692_CR143","doi-asserted-by":"crossref","unstructured":"Li, M., Deng, C., Li, T., Yan, J., Gao, X., & Huang, H. (2020). Towards transferable targeted attack. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00072"},{"key":"2692_CR144","unstructured":"Li, Q., Guo, Y., Zuo, W., & Chen, H. (2023). Making substitute models more bayesian can enhance transferability of adversarial examples. In: ICLR."},{"key":"2692_CR145","doi-asserted-by":"crossref","unstructured":"Li, J., Ji, R., Liu, H., Hong, X., Gao, Y., & Tian, Q. (2019). Universal perturbation attack against image retrieval. In: ICCV.","DOI":"10.1109\/ICCV.2019.00500"},{"key":"2692_CR146","doi-asserted-by":"crossref","unstructured":"Li, J., Ji, R., Liu, H., Liu, J., Zhong, B., Deng, C., & Tian, Q. (2020). Projection & probability-driven black-box attack. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00044"},{"key":"2692_CR147","unstructured":"Li, Y., Jin, W., Xu, H., & Tang, J. (2020). Deeprobust: A pytorch library for adversarial attacks and defenses. arXiv preprint arXiv:2005.06149."},{"key":"2692_CR148","unstructured":"Li, Y., Li, T., Chen, K., Zhang, J., Liu, S., Wang, W., Zhang, T., & Liu, Y. (2024). Badedit: Backdooring large language models by model editing. arXiv preprint arXiv:2403.13355."},{"key":"2692_CR149","unstructured":"Li, Y., Li, L., Wang, L., Zhang, T., & Gong, B. (2019). Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML."},{"key":"2692_CR150","doi-asserted-by":"crossref","unstructured":"Li, Y., Li, Y., Wu, B., Li, L., He, R., & Lyu, S. (2021). Invisible backdoor attack with sample-specific triggers. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.01615"},{"key":"2692_CR151","doi-asserted-by":"crossref","unstructured":"Li, S., Liu, H., Dong, T., Zhao, B.Z.H., Xue, M., Zhu, H., & Lu, J. (2021). Hidden backdoors in human-centric language models. In: ACM CCS.","DOI":"10.1145\/3460120.3484576"},{"key":"2692_CR152","unstructured":"Li, Y., Lyu, X., Koren, N., et\u00a0al. (2023). Vlattack: Multimodal adversarial attacks via pre-trained models. In: NeurIPS."},{"key":"2692_CR153","doi-asserted-by":"crossref","unstructured":"Li, L., Song, D., Li, X., Zeng, J., Ma, R., & Qiu, X. (2021). Backdoor attacks on pre-trained models by layerwise weight poisoning. In: EMNLP.","DOI":"10.18653\/v1\/2021.emnlp-main.241"},{"key":"2692_CR154","doi-asserted-by":"crossref","unstructured":"Li, Z., Sun, H., Xia, P., Xia, B., Rui, X., Zhang, W., & Li, B. (2023). A proxy-free strategy for practically improving the poisoning efficiency in backdoor attacks. arXiv preprint arXiv:2306.08313.","DOI":"10.1109\/TIFS.2024.3472510"},{"key":"2692_CR155","unstructured":"Li, H., Wang, Y., Xie, X., Liu, Y., Wang, S., Wan, R., Chau, L.-P., & Kot, A.C. (2020). Light can hack your face! black-box backdoor attack on face recognition systems. arXiv preprint arXiv:2009.06996."},{"key":"2692_CR156","doi-asserted-by":"crossref","unstructured":"Li, T., Wu, B., Yang, Y., Fan, Y., Zhang, Y., & Liu, W. (2019). Compressing convolutional neural networks via factorized convolutional filters. In: CVPR.","DOI":"10.1109\/CVPR.2019.00410"},{"key":"2692_CR157","unstructured":"Li, Z., Xia, P., Sun, H., Zeng, Y., Zhang, W., & Li, B. (2023). Explore the effect of data selection on poison efficiency in backdoor attacks. arXiv preprint arXiv:2310.09744."},{"key":"2692_CR158","doi-asserted-by":"crossref","unstructured":"Li, H., Xu, X., Zhang, X., Yang, S., & Li, B. (2020). Qeba: Query-efficient boundary-based blackbox attack. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00130"},{"key":"2692_CR159","doi-asserted-by":"crossref","unstructured":"Li, M., Yang, Z., Wang, T., Zhang, Y., & Wen, W. (2024). Dual protection for image privacy and copyright via traceable adversarial examples. IEEE CSVT.","DOI":"10.1109\/TCSVT.2024.3448351"},{"key":"2692_CR160","doi-asserted-by":"crossref","unstructured":"Li, D., Zhang, J., & Huang, K. (2021). Universal adversarial perturbations against object detection. Pattern Recognition,110, Article 107584.","DOI":"10.1016\/j.patcog.2020.107584"},{"key":"2692_CR161","unstructured":"Li, Y., Zhang, Z., Bai, J., Wu, B., Jiang, Y., & Xia, S.-T. (2020). Open-sourced dataset protection via backdoor watermarking. In: NeurIPS Workshop on Dataset Curation and Security."},{"key":"2692_CR162","unstructured":"Li, K., Zhao, T., Hu, Y., et\u00a0al. (2025). Universal adversarial attack on aligned multimodal llms. arXiv preprint arXiv:2502.10233."},{"key":"2692_CR163","doi-asserted-by":"crossref","unstructured":"Liang, J., Liang, S., Luo, M., Liu, A., Han, D., Chang, E.-C., & Cao, X. (2024). Vl-trojan: Multimodal instruction backdoor attacks against autoregressive visual language models. arXiv preprint arXiv:2402.13851.","DOI":"10.1007\/s11263-025-02368-9"},{"key":"2692_CR164","doi-asserted-by":"crossref","unstructured":"Liang, S., Liang, J., Pang, T., Du, C., Liu, A., Chang, E.-C., & Cao, X. (2024). Revisiting backdoor attacks against large vision-language models. arXiv preprint arXiv:2406.18844.","DOI":"10.1109\/CVPR52734.2025.00885"},{"key":"2692_CR165","doi-asserted-by":"crossref","unstructured":"Liang, S., Wu, B., Fan, Y., Wei, X., & Cao, X. (2021). Parallel rectangle flip attack: A query-based black-box attack against object detection. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00760"},{"key":"2692_CR166","doi-asserted-by":"crossref","unstructured":"Liang, S., Zhu, M., Liu, A., Wu, B., Cao, X., & Chang, E.-C. (2024). Badclip: Dual-embedding guided backdoor attack on multimodal contrastive learning. In: CVPR.","DOI":"10.1109\/CVPR52733.2024.02327"},{"key":"2692_CR167","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/s44267-024-00055-w","volume":"2","author":"J Liao","year":"2024","unstructured":"Liao, J., Yi, L., Shi, W., Yang, W., Fang, Y., & Yang, X. (2024). Imperceptible backdoor watermarks for speech recognition model copyright protection. Visual Intelligence, 2, 23.","journal-title":"Visual Intelligence"},{"key":"2692_CR168","unstructured":"Lin, J., Song, C., He, K., Wang, L., & Hopcroft, J.E. (2020). Nesterov accelerated gradient and scale invariance for adversarial attacks. In: ICLR."},{"key":"2692_CR169","doi-asserted-by":"crossref","unstructured":"Lin, J., Xu, L., Liu, Y., & Zhang, X. (2020). Composite backdoor attack for deep neural network by mixing existing benign features. In: ACM CCS, pp. 113\u2013131.","DOI":"10.1145\/3372297.3423362"},{"key":"2692_CR170","doi-asserted-by":"crossref","unstructured":"Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., & Wang, T. (2019). Deepsec: A uniform platform for security analysis of deep learning model. In: IEEE S&P, pp. 673\u2013690.","DOI":"10.1109\/SP.2019.00023"},{"key":"2692_CR171","unstructured":"Liu, S., Chen, P.-Y., Chen, X., & Hong, M. (2019). signsgd via zeroth-order oracle. In: ICLR."},{"key":"2692_CR172","unstructured":"Liu, Y., Deng, G., Li, Y., Wang, K., Zhang, T., Liu, Y., Wang, H., Zheng, Y., & Liu, Y. (2023). Prompt injection attack against llm-integrated applications. arXiv preprint arXiv:2306.05499."},{"key":"2692_CR173","doi-asserted-by":"crossref","unstructured":"Liu, H., Ji, R., Li, J., Zhang, B., Gao, Y., Wu, Y., & Huang, F. (2019). Universal adversarial perturbation via prior driven uncertainty approximation. In: ICCV.","DOI":"10.1109\/ICCV.2019.00303"},{"key":"2692_CR174","doi-asserted-by":"crossref","unstructured":"Liu, X., Liu, J., Bai, Y., Gu, J., Chen, T., Jia, X., & Cao, X. (2022). Watermark vaccine: Adversarial attacks to prevent watermark removal. In: ECCV.","DOI":"10.1007\/978-3-031-19781-9_1"},{"key":"2692_CR175","doi-asserted-by":"crossref","unstructured":"Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., & Tao, D. (2019). Perceptual-sensitive gan for generating adversarial patches. In: AAAI.","DOI":"10.1609\/aaai.v33i01.33011028"},{"key":"2692_CR176","doi-asserted-by":"crossref","unstructured":"Liu, Y., Ma, S., Aafer, Y., Lee, W.-C., Zhai, J., Wang, W., & Zhang, X. (2018). Trojaning attack on neural networks. In: NDSS.","DOI":"10.14722\/ndss.2018.23291"},{"key":"2692_CR177","doi-asserted-by":"crossref","unstructured":"Liu, Y., Ma, X., Bailey, J., & Lu, F. (2020). Reflection backdoor: A natural backdoor attack on deep neural networks. In: ECCV.","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"2692_CR178","doi-asserted-by":"crossref","unstructured":"Liu, Y., Moosavi-Dezfooli, S.-M., & Frossard, P. (2019). A geometry-inspired decision-based attack. In: ICCV.","DOI":"10.1109\/ICCV.2019.00499"},{"key":"2692_CR179","doi-asserted-by":"crossref","unstructured":"Liu, Y., Wei, L., Luo, B., & Xu, Q. (2017). Fault injection attack on deep neural network. In: ICCAD.","DOI":"10.1109\/ICCAD.2017.8203770"},{"key":"2692_CR180","doi-asserted-by":"crossref","unstructured":"Liu, Z., Wu, B., Luo, W., Yang, X., Liu, W., & Cheng, K.-T. (2018). Bi-real net: Enhancing the performance of 1-bit cnns with improved representational capability and advanced training algorithm. In: ECCV.","DOI":"10.1007\/978-3-030-01267-0_44"},{"key":"2692_CR181","unstructured":"Liu, Y., Yi, Z., & Chen, T. (2020). Backdoor attacks and defenses in feature-partitioned collaborative learning. arXiv preprint arXiv:2007.03608."},{"key":"2692_CR182","unstructured":"Liu, H., Zhao, B., Guo, J., An, Y., & Liu, P. (2020). Greedyfool: Distortion-aware sparse adversarial attack. In: NeurIPS."},{"key":"2692_CR183","doi-asserted-by":"crossref","unstructured":"Liu, J., Zhou, J., Zeng, J., & Tian, J. (2024). Difattack: Query-efficient black-box adversarial attack via disentangled feature space. In: AAAI.","DOI":"10.1609\/aaai.v38i4.28156"},{"key":"2692_CR184","first-page":"2088","volume":"18","author":"S Li","year":"2021","unstructured":"Li, S., Xue, M., Zhao, B., Zhu, H., & Zhang, X. (2021). Invisible backdoor attacks on deep neural networks via steganography and regularization. IEEE Transactions on Dependable and Secure Computing, 18, 2088.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"2692_CR185","doi-asserted-by":"publisher","first-page":"2318","DOI":"10.1109\/TIFS.2023.3265535","volume":"18","author":"Y Li","year":"2023","unstructured":"Li, Y., Zhu, M., Yang, X., Jiang, Y., Wei, T., & Xia, S.-T. (2023). Black-box dataset ownership verification via backdoor watermarking. IEEE Transactions on Information Forensics and Security, 18, 2318.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR186","doi-asserted-by":"crossref","unstructured":"Long, Y., Zhang, Q., Zeng, B., Gao, L., Liu, X., Zhang, J., & Song, J. (2022). Frequency domain model augmentation for adversarial attack. In: ECCV.","DOI":"10.1007\/978-3-031-19772-7_32"},{"key":"2692_CR187","unstructured":"Lord, N.A., Mueller, R., & Bertinetto, L. (2022). Attacking deep networks with surrogate-based adversarial black-box methods is easy. In: ICLR."},{"key":"2692_CR188","unstructured":"Lovisotto, G., Turner, H., Sluganovic, I., Strohmeier, M., & Martinovic, I. (2021). Slap: improving physical adversarial examples with short-lived adversarial perturbations. In: USENIX, pp. 1865\u20131882."},{"key":"2692_CR189","doi-asserted-by":"crossref","unstructured":"Lu, Y., & Huang, B. (2020). Structured output learning with conditional generative flows. In: AAAI.","DOI":"10.1609\/aaai.v34i04.5940"},{"key":"2692_CR190","doi-asserted-by":"crossref","unstructured":"Lyu, W., Pang, L., Ma, T., Ling, H., & Chen, C. (2024). Trojvlm: Backdoor attack against vision language models. In: ECCV.","DOI":"10.1007\/978-3-031-73650-6_27"},{"key":"2692_CR191","doi-asserted-by":"crossref","unstructured":"Ma, J., Cao, A., Xiao, Z., Li, Y., Zhang, J., Ye, C., & Zhao, J. (2024). Jailbreaking prompt attack: A controllable adversarial attack against diffusion models. arXiv preprint arXiv:2404.02928.","DOI":"10.18653\/v1\/2025.findings-naacl.172"},{"key":"2692_CR192","doi-asserted-by":"crossref","unstructured":"Ma, C., Chen, L., & Yong, J.-H. (2021). Simulating unknown target models for query-efficient black-box attacks. In: CVPR.","DOI":"10.1109\/CVPR46437.2021.01166"},{"key":"2692_CR193","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks. In: ICLR,."},{"key":"2692_CR194","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3425780","volume":"54","author":"Y Mirsky","year":"2021","unstructured":"Mirsky, Y., & Lee, W. (2021). The creation and detection of deepfakes: A survey. ACM Computing Surveys, 54, 1.","journal-title":"ACM Computing Surveys"},{"key":"2692_CR195","doi-asserted-by":"crossref","unstructured":"Modas, A., Moosavi-Dezfooli, S., & Frossard, P. (2019). Sparsefool: A few pixels make a big difference. In: CVPR.","DOI":"10.1109\/CVPR.2019.00930"},{"key":"2692_CR196","first-page":"15871","volume":"33","author":"H Mohaghegh Dolatabadi","year":"2020","unstructured":"Mohaghegh Dolatabadi, H., Erfani, S., & Leckie, C. (2020). Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. Advances in Neural Information Processing Systems, 33, 15871.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR197","unstructured":"Moon, S., An, G., & Song, H.O. (2019). Parsimonious black-box adversarial attacks via efficient combinatorial optimization. In: ICML."},{"key":"2692_CR198","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.-M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. In: CVPR.","DOI":"10.1109\/CVPR.2016.282"},{"key":"2692_CR199","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.-M., Fawzi, A., Fawzi, O. & Frossard, P. (2017). Universal adversarial perturbations. In: CVPR.","DOI":"10.1109\/CVPR.2017.17"},{"key":"2692_CR200","unstructured":"Mopuri, K., Garg, U., & Venkatesh Babu, R. (2017). Fast feature fool: A data independent approach to universal adversarial perturbations. In: BMVC."},{"issue":"10","key":"2692_CR201","doi-asserted-by":"publisher","first-page":"2452","DOI":"10.1109\/TPAMI.2018.2861800","volume":"41","author":"KR Mopuri","year":"2018","unstructured":"Mopuri, K. R., Ganeshan, A., & Babu, R. V. (2018). Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Transactions on Pattern Analysis and Machine Intelligence, 41(10), 2452\u20132465.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR202","doi-asserted-by":"crossref","unstructured":"Morris, J., Lifland, E., Yoo, J.Y., Grigsby, J., Jin, D., & Qi, Y. (2020). Textattack: A framework for adversarial attacks, data augmentation, and adversarial training in nlp. In: EMNLP: System Demonstrations.","DOI":"10.18653\/v1\/2020.emnlp-demos.16"},{"key":"2692_CR203","doi-asserted-by":"crossref","unstructured":"Narodytska, N., & Kasiviswanathan, S.P. (2017). Simple black-box adversarial perturbations for deep networks. CVPR Workshops.","DOI":"10.1109\/CVPRW.2017.172"},{"key":"2692_CR204","doi-asserted-by":"crossref","unstructured":"Naseer, M., Khan, S., Hayat, M., Khan, F.S., & Porikli, F. (2021). On generating transferable targeted perturbations. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00761"},{"key":"2692_CR205","unstructured":"Naseer, M.M., Khan, S.H., Khan, M.H., Shahbaz Khan, F., & Porikli, F. (2019). Cross-domain transferability of adversarial perturbations. In: NeurIPS."},{"key":"2692_CR206","first-page":"481","volume":"2019","author":"P Neekhara","year":"2019","unstructured":"Neekhara, P., Hussain, S., Pandey, P., Dubnov, S., McAuley, J., & Koushanfar, F. (2019). Universal adversarial perturbations for speech recognition systems. INTERSPEECH, 2019, 481\u2013485.","journal-title":"INTERSPEECH"},{"issue":"2","key":"2692_CR207","doi-asserted-by":"publisher","first-page":"527","DOI":"10.1007\/s10208-015-9296-2","volume":"17","author":"Y Nesterov","year":"2017","unstructured":"Nesterov, Y., & Spokoiny, V. (2017). Random gradient-free minimization of convex functions. Foundations of Computational Mathematics, 17(2), 527\u2013566.","journal-title":"Foundations of Computational Mathematics"},{"key":"2692_CR208","unstructured":"Nguyen, T.A., & Tran, A.T. (2021). Wanet - imperceptible warping-based backdoor attack. In: ICLR."},{"key":"2692_CR209","first-page":"66364","volume":"36","author":"DT Nguyen","year":"2023","unstructured":"Nguyen, D. T., Nguyen, T. M., Tran, A. T., Doan, K. D., & Wong, K. S. (2023). Iba: Towards irreversible backdoor attacks in federated learning. Advances in Neural Information Processing Systems, 36, 66364.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR210","first-page":"3454","volume":"33","author":"TA Nguyen","year":"2020","unstructured":"Nguyen, T. A., & Tran, A. (2020). Input-aware dynamic backdoor attack. Advances in Neural Information Processing Systems, 33, 3454.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR211","unstructured":"Nicolae, M.-I., Sinn, M., Tran, M.N., Buesser, B., Rawat, A., Wistuba, M., Zantedeschi, V., Baracaldo, N., Chen, B., Ludwig, H., Molloy, I.M., & Edwards, B. (2019). Adversarial Robustness Toolbox v1.0.0."},{"key":"2692_CR212","doi-asserted-by":"crossref","unstructured":"Ning, R., Li, J., Xin, C., & Wu, H. (2021). Invisible poison: A blackbox clean label backdoor attack to deep neural networks. In: ICCC.","DOI":"10.1109\/INFOCOM42981.2021.9488902"},{"key":"2692_CR213","doi-asserted-by":"crossref","unstructured":"Ning, R., Li, J., Xin, C., Wu, H., & Wang, C. (2022). Hibernated backdoor: A mutual information empowered backdoor attack to deep neural networks. In: AAAI.","DOI":"10.1609\/aaai.v36i9.21272"},{"key":"2692_CR214","doi-asserted-by":"crossref","unstructured":"Pang, R., Zhang, Z., Gao, X., Xi, Z., Ji, S., Cheng, P., & Wang, T. (2022). Trojanzoo: Towards unified, holistic, and practical evaluation of neural backdoors. In: Euro S&P.","DOI":"10.1109\/EuroSP53844.2022.00048"},{"key":"2692_CR215","first-page":"82265","volume":"37","author":"Z Pan","year":"2024","unstructured":"Pan, Z., Yao, Y., Liu, G., Shen, B., Zhao, H. V., Kompella, R., & Liu, S. (2024). From trojan horses to castle walls: Unveiling bilateral data poisoning effects in diffusion models. Advances in Neural Information Processing Systems, 37, 82265.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR216","unstructured":"Papernot, N., Faghri, F., Carlini, N., Goodfellow, I., Feinman, R., Kurakin, A., Xie, C., Sharma, Y., Brown, T., Roy, A., Matyasko, A., Behzadan, V., Hambardzumyan, K., Zhang, Z., Juang, Y.-L., Li, Z., Sheatsley, R., Garg, A., Uesato, J., Gierke, W., Dong, Y., Berthelot, D., Hendricks, P., Rauber, J., & Long, R. (2018). Technical report on the cleverhans v2.1.0 adversarial examples library. arXiv preprint arXiv:1610.00768."},{"key":"2692_CR217","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., & Swami, A. (2016). The limitations of deep learning in adversarial settings. In: IEEE EuroS&P, pp. 372\u2013387.","DOI":"10.1109\/EuroSP.2016.36"},{"key":"2692_CR218","doi-asserted-by":"crossref","unstructured":"Peng, W., Yi, J., Wu, F.Z., Wu, S., Zhu, B.B., Lv, L., Jiao, B.X., Xu, T., Sun, G., & Xie, X. (2023). Are you copying my model? protecting the copyright of large language models for EaaS via backdoor watermark. In: ACL.","DOI":"10.18653\/v1\/2023.acl-long.423"},{"key":"2692_CR219","unstructured":"Perez, F., & Ribeiro, I. (2022). Ignore previous prompt: Attack techniques for language models. In: NeurIPS Workshop."},{"key":"2692_CR220","doi-asserted-by":"crossref","unstructured":"Phan, H., Shi, C., Xie, Y., Zhang, T., Li, Z., Zhao, T., Liu, J., Wang, Y., Chen, Y., & Yuan, B. (2022). Ribac: Towards r obust and i mperceptible b ackdoor a ttack against c ompact dnn. In: ECCV.","DOI":"10.1007\/978-3-031-19772-7_41"},{"key":"2692_CR221","doi-asserted-by":"crossref","unstructured":"Phan, H., Xie, Y., Liu, J., Chen, Y., & Yuan, B. (2022). Invisible and efficient backdoor attacks for compressed deep neural networks. In: ICASSP.","DOI":"10.1109\/ICASSP43922.2022.9747582"},{"key":"2692_CR222","doi-asserted-by":"crossref","unstructured":"Poursaeed, O., Katsman, I., Gao, B., & Belongie, S. (2018). Generative adversarial perturbations. In: CVPR.","DOI":"10.1109\/CVPR.2018.00465"},{"key":"2692_CR223","doi-asserted-by":"crossref","unstructured":"Qi, X., Huang, K., Panda, A., Henderson, P., Wang, M., & Mittal, P. (2024). Visual adversarial examples jailbreak aligned large language models. In: AAAI.","DOI":"10.1609\/aaai.v38i19.30150"},{"key":"2692_CR224","unstructured":"Qi, X., Xie, T., Li, Y., Mahloujifar, S., & Mittal, P. (2022). Revisiting the assumption of latent separability for backdoor defenses. In: ICLR."},{"key":"2692_CR225","doi-asserted-by":"crossref","unstructured":"Qi, X., Xie, T., Pan, R., Zhu, J., Yang, Y., & Bu, K. (2022). Towards practical deployment-stage backdoor attack on deep neural networks. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01299"},{"key":"2692_CR226","doi-asserted-by":"crossref","unstructured":"Qi, X., Zhu, J., Xie, C., & Yang, Y. (2021) Subnet replacement: Deployment-stage backdoor attack against deep neural networks in gray-box setting. In: ICLR Workshop.","DOI":"10.1109\/CVPR52688.2022.01299"},{"key":"2692_CR227","unstructured":"Qin, Y., Carlini, N., Cottrell, G., Goodfellow, I., & Raffel, C. (2019). Imperceptible, robust, and targeted adversarial examples for automatic speech recognition. In: ICML."},{"key":"2692_CR228","first-page":"29845","volume":"35","author":"Z Qin","year":"2022","unstructured":"Qin, Z., Fan, Y., Liu, Y., Shen, L., Zhang, Y., Wang, J., & Wu, B. (2022). Boosting the transferability of adversarial attacks with reverse adversarial perturbation. Advances in neural information processing systems, 35, 29845.","journal-title":"Advances in neural information processing systems"},{"key":"2692_CR229","first-page":"7650","volume":"34","author":"Z Qin","year":"2021","unstructured":"Qin, Z., Fan, Y., Zha, H., & Wu, B. (2021). Random noise defense against query-based black-box attacks. Advances in Neural Information Processing Systems, 34, 7650.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR230","doi-asserted-by":"publisher","first-page":"3943","DOI":"10.1109\/TIFS.2024.3372803","volume":"19","author":"Z Qu","year":"2024","unstructured":"Qu, Z., Xi, Z., Lu, W., Luo, X., Wang, Q., & Li, B. (2024). Df-rap: A robust adversarial perturbation for defending against deepfakes in real-world social network scenarios. IEEE Transactions on Information Forensics and Security, 19, 3943.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR231","unstructured":"Radford, A., Kim, J.W., Hallacy, C., Ramesh, A., Goh, G., Agarwal, S., Sastry, G., Askell, A., Mishkin, P., Clark, J., et\u00a0al. (2021). Learning transferable visual models from natural language supervision. In: ICML."},{"key":"2692_CR232","first-page":"53728","volume":"36","author":"R Rafailov","year":"2023","unstructured":"Rafailov, R., Sharma, A., Mitchell, E., Manning, C. D., Ermon, S., & Finn, C. (2023). Direct preference optimization: Your language model is secretly a reward model. Advances in Neural Information Processing Systems, 36, 53728.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR233","doi-asserted-by":"crossref","unstructured":"Rahmati, A., Moosavi-Dezfooli, S.-M., Frossard, P., & Dai, H. (2020). Geoda: a geometric framework for black-box adversarial attacks. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00847"},{"key":"2692_CR234","doi-asserted-by":"crossref","unstructured":"Rakin, A.S., He, Z., & Fan, D. (2020). Tbt: targeted neural network attack with bit trojan. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.01321"},{"issue":"11","key":"2692_CR235","doi-asserted-by":"publisher","first-page":"7928","DOI":"10.1109\/TPAMI.2021.3112932","volume":"44","author":"AS Rakin","year":"2022","unstructured":"Rakin, A. S., He, Z., Li, J., Yao, F., Chakrabarti, C., & Fan, D. (2022). T-bfa: Targeted bit-flip adversarial weight attack. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(11), 7928\u20137939.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR236","unstructured":"Rauber, J., Brendel, W., & Bethge, M. (2017). Foolbox: A python toolbox to benchmark the robustness of machine learning models. In: ICML Workshop."},{"key":"2692_CR237","doi-asserted-by":"crossref","unstructured":"Reza, M.F., Rahmati, A., Wu, T., & Dai, H. (2023). Cgba: Curvature-aware geometric black-box attack. In: ICCV.","DOI":"10.1109\/ICCV51070.2023.00018"},{"key":"2692_CR238","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/s11263-015-0816-y","volume":"115","author":"O Russakovsky","year":"2015","unstructured":"Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M., et al. (2015). Imagenet large scale visual recognition challenge. International Journal of Computer Vision, 115, 211\u2013252.","journal-title":"International Journal of Computer Vision"},{"key":"2692_CR239","doi-asserted-by":"crossref","unstructured":"Saha, A., Subramanya, A., & Pirsiavash, H. (2020). Hidden trigger backdoor attacks. In: AAAI.","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"2692_CR240","doi-asserted-by":"crossref","unstructured":"Salem, A., Wen, R., Backes, M., Ma, S., & Zhang, Y. (2022). Dynamic backdoor attacks against machine learning models. In: IEEE EuroS&P.","DOI":"10.1109\/EuroSP53844.2022.00049"},{"key":"2692_CR241","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1109\/TBIOM.2021.3132132","volume":"4","author":"E Sarkar","year":"2022","unstructured":"Sarkar, E., Benkraouda, H., Krishnan, G., Gamil, H., & Maniatakos, M. (2022). Facehack: Attacking facial recognition systems using malicious facial characteristics. IEEE Transactions on Biometrics, Behavior, and Identity Science, 4, 361\u2013372.","journal-title":"IEEE Transactions on Biometrics, Behavior, and Identity Science"},{"key":"2692_CR242","doi-asserted-by":"crossref","unstructured":"Sayles, A., Hooda, A., Gupta, M., Chatterjee, R., & Fernandes, E. (2021). Invisible perturbations: Physical adversarial examples exploiting the rolling shutter effect. In: CVPR.","DOI":"10.1109\/CVPR46437.2021.01443"},{"key":"2692_CR243","doi-asserted-by":"crossref","unstructured":"Schlarmann, C., & Hein, M. (2023). On the adversarial robustness of multi-modal foundation models. In: ICCV.","DOI":"10.1109\/ICCVW60793.2023.00395"},{"key":"2692_CR244","unstructured":"Schott, L., Rauber, J., Bethge, M., & Brendel, W. (2019). Towards the first adversarially robust neural network model on mnist. In: ICLR."},{"key":"2692_CR245","unstructured":"Shafahi, A., Huang, W.R., Najibi, M., Suciu, O., Studer, C., Dumitras, T., & Goldstein, T. (2018). Poison frogs! targeted clean-label poisoning attacks on neural networks. In: NeurIPS."},{"key":"2692_CR246","doi-asserted-by":"crossref","unstructured":"Sharif, M., Bhagavatula, S., Bauer, L., & Reiter, M.K. (2016). Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: ACM CCS.","DOI":"10.1145\/2976749.2978392"},{"issue":"3","key":"2692_CR247","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3317611","volume":"22","author":"M Sharif","year":"2019","unstructured":"Sharif, M., Bhagavatula, S., Bauer, L., & Reiter, M. K. (2019). A general framework for adversarial examples with objectives. ACM Transactions on Privacy and Security, 22(3), 1\u201330.","journal-title":"ACM Transactions on Privacy and Security"},{"key":"2692_CR248","unstructured":"Shayegani, E., Dong, Y., & Abu-Ghazaleh, N. (2023). Jailbreak in pieces: Compositional adversarial attacks on multi-modal language models. In: ICLR."},{"key":"2692_CR249","doi-asserted-by":"crossref","unstructured":"Shen, L., Ji, S., Zhang, X., Li, J., Chen, J., Shi, J., Fang, C., Yin, J., & Wang, T. (2021). Backdoor pre-trained models can transfer to all. In: ACM CCS.","DOI":"10.1145\/3460120.3485370"},{"key":"2692_CR250","doi-asserted-by":"crossref","unstructured":"Shi, Y., Li, P., Yin, C., Han, Z., Zhou, L., & Liu, Z. (2022). Promptattack: Prompt-based attack for language models via gradient search. In: NLPCC.","DOI":"10.1007\/978-3-031-17120-8_53"},{"key":"2692_CR251","unstructured":"Shi, J., Liu, Y., Zhou, P., & Sun, L. (2023). Badgpt: Exploring security vulnerabilities of chatgpt via backdoor attacks to instructgpt. arXiv preprint arXiv:2304.12298."},{"key":"2692_CR252","unstructured":"Shi, H., Mao, J., Xiao, T., Jiang, Y., & Sun, J. (2018). Learning visually-grounded semantics from contrastive adversarial samples. In: COLING."},{"issue":"2","key":"2692_CR253","doi-asserted-by":"publisher","first-page":"2226","DOI":"10.1109\/TPAMI.2022.3169802","volume":"45","author":"Y Shi","year":"2023","unstructured":"Shi, Y., Han, Y., Hu, Q., Yang, Y., & Tian, Q. (2023). Query-efficient black-box adversarial attack with customized iteration and sampling. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(2), 2226\u20132245.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR254","unstructured":"Shokri, R., et\u00a0al. (2020). Bypassing backdoor detection algorithms in deep learning. In: IEEE EuroS&P."},{"key":"2692_CR255","first-page":"18021","volume":"34","author":"I Shumailov","year":"2021","unstructured":"Shumailov, I., Shumaylov, Z., Kazhdan, D., Zhao, Y., Papernot, N., Erdogdu, M. A., & Anderson, R. J. (2021). Manipulating sgd with data ordering attacks. Advances in Neural Information Processing Systems, 34, 18021.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR256","unstructured":"Soklaski, R., Goodwin, J., Brown, O., Yee, M., & Matterer, J. (2022). Tools and practices for responsible ai engineering. arXiv preprint arXiv:2201.05647."},{"key":"2692_CR257","unstructured":"Sommer, D.M., Song, L., Wagh, S., & Mittal, P. (2020). Towards probabilistic verification of machine unlearning. arXiv preprint arXiv:2003.04247."},{"key":"2692_CR258","doi-asserted-by":"crossref","unstructured":"Song, Z., Li, Y., Yuan, D., Liu, L., Wei, S., & Wu, B. (2026). WPDA: Frequency-based backdoor attack with wavelet packet decomposition. Neural Networks, 194.","DOI":"10.1016\/j.neunet.2025.108074"},{"key":"2692_CR259","unstructured":"Song, Y., Shu, R., Kushman, N., & Ermon, S. (2018). Constructing unrestricted adversarial examples with generative models. In: NeurIPS."},{"key":"2692_CR260","first-page":"19165","volume":"35","author":"H Souri","year":"2022","unstructured":"Souri, H., Fowl, L., Chellappa, R., Goldblum, M., & Goldstein, T. (2022). Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch. Advances in Neural Information Processing Systems, 35, 19165\u201319178.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR261","first-page":"19165","volume":"35","author":"H Souri","year":"2022","unstructured":"Souri, H., Fowl, L., Chellappa, R., Goldblum, M., & Goldstein, T. (2022). Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch. Advances in Neural Information Processing Systems, 35, 19165.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR262","first-page":"9759","volume":"34","author":"J Springer","year":"2021","unstructured":"Springer, J., Mitchell, M., & Kenyon, G. (2021). A little robustness goes a long way: Leveraging robust features for targeted transfer attacks. Advances in Neural Information Processing Systems, 34, 9759.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR263","first-page":"3008","volume":"33","author":"N Stiennon","year":"2020","unstructured":"Stiennon, N., Ouyang, L., Wu, J., Ziegler, D. M., Lowe, R., Voss, C., Radford, A., Amodei, D., & Christiano, P. (2020). Learning to summarize from human feedback. Advances in Neural Information Processing Systems, 33, 3008.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR264","doi-asserted-by":"crossref","unstructured":"Struppek, L., Hintersdorf, D., & Kersting, K. (2023). Rickrolling the artist: Injecting backdoors into text encoders for text-to-image synthesis. In: ICCV.","DOI":"10.1109\/ICCV51070.2023.00423"},{"key":"2692_CR265","doi-asserted-by":"crossref","unstructured":"Su, Z., Zhou, D., Wang, N., Liu, D., Wang, Z., & Gao, X. (2023). Hiding visual information via obfuscating adversarial perturbations. In: ICCV.","DOI":"10.1109\/ICCV51070.2023.00402"},{"key":"2692_CR266","doi-asserted-by":"publisher","first-page":"828","DOI":"10.1109\/TEVC.2019.2890858","volume":"23","author":"J Su","year":"2019","unstructured":"Su, J., Vargas, D. V., & Sakurai, K. (2019). One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23, 828.","journal-title":"IEEE Transactions on Evolutionary Computation"},{"key":"2692_CR267","unstructured":"Suya, F., Chi, J., Evans, D., & Tian, Y. (2020). Hybrid batch attacks: Finding black-box adversarial examples with limited queries. In: USENIX."},{"issue":"2","key":"2692_CR268","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1002\/cpa.21423","volume":"66","author":"EG Tabak","year":"2013","unstructured":"Tabak, E. G., & Turner, C. V. (2013). A family of nonparametric density estimation algorithms. Communications on Pure and Applied Mathematics, 66(2), 145\u2013164.","journal-title":"Communications on Pure and Applied Mathematics"},{"key":"2692_CR269","doi-asserted-by":"crossref","unstructured":"Tancik, M., Mildenhall, B., & Ng, R. (2020). Stegastamp: Invisible hyperlinks in physical photographs. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.00219"},{"key":"2692_CR270","doi-asserted-by":"crossref","unstructured":"Tang, R., Du, M., Liu, N., Yang, F., & Hu, X. (2020). An embarrassingly simple approach for trojan attack in deep neural networks. In: KDD.","DOI":"10.1145\/3394486.3403064"},{"key":"2692_CR271","doi-asserted-by":"publisher","first-page":"1372","DOI":"10.1109\/TIFS.2022.3160359","volume":"17","author":"Y Tian","year":"2022","unstructured":"Tian, Y., Suya, F., Xu, F., & Evans, D. (2022). Stealthy backdoors as compression artifacts. IEEE Transactions on Information Forensics and Security, 17, 1372.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR272","unstructured":"Toneva, M., Sordoni, A., Combes, R.T., Trischler, A., Bengio, Y., & Gordon, G.J. (2019). An empirical study of example forgetting during deep neural network learning. In: ICLR."},{"key":"2692_CR273","unstructured":"Tsai, Y.-L., Hsu, C.-Y., Xie, C., Lin, C.-H., Chen, J.Y., Li, B., Chen, P.-Y., Yu, C.-M., & Huang, C.-Y. (2024). Ring-a-bell! how reliable are concept removal methods for diffusion models? In: ICLR."},{"key":"2692_CR274","unstructured":"Turner, A., Tsipras, D., & Madry, A. (2019). Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771."},{"key":"2692_CR275","unstructured":"University, T., Security, A. RealAI: Adversarial Robustness Benchmark. https:\/\/ml.cs.tsinghua.edu.cn\/adv-bench."},{"issue":"4","key":"2692_CR276","doi-asserted-by":"publisher","first-page":"784","DOI":"10.1137\/1118101","volume":"18","author":"S Vallender","year":"1974","unstructured":"Vallender, S. (1974). Calculation of the wasserstein distance between probability distributions on the line. Theory of Probability & Its Applications, 18(4), 784\u2013786.","journal-title":"Theory of Probability & Its Applications"},{"key":"2692_CR277","doi-asserted-by":"publisher","first-page":"4865","DOI":"10.1109\/TIFS.2024.3386058","volume":"19","author":"J Vice","year":"2024","unstructured":"Vice, J., Akhtar, N., Hartley, R., & Mian, A. (2024). Bagm: A backdoor attack for manipulating text-to-image generative models. IEEE Transactions on Information Forensics and Security, 19, 4865.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR278","unstructured":"Wan, A., Wallace, E., Shen, S., & Klein, D. (2023). Poisoning language models during instruction tuning. In: ICML."},{"key":"2692_CR279","doi-asserted-by":"crossref","unstructured":"Wang, X., & He, K. (2021). Enhancing the transferability of adversarial attacks through variance tuning. In: CVPR.","DOI":"10.1109\/CVPR46437.2021.00196"},{"key":"2692_CR280","doi-asserted-by":"crossref","unstructured":"Wang, H., & Shu, K. (2023). Backdoor activation attack: Attack large language models using activation steering for safety-alignment. arXiv preprint arXiv:2311.09433.","DOI":"10.1145\/3627673.3679821"},{"key":"2692_CR281","doi-asserted-by":"crossref","unstructured":"Wang, J., Chen, Z., Jiang, K., Yang, D., Hong, L., Guo, P., Guo, H., & Zhang, W. (2024). Boosting the transferability of adversarial attacks with global momentum initialization. Expert Systems with Applications.,255, Article 124757.","DOI":"10.1016\/j.eswa.2024.124757"},{"key":"2692_CR282","unstructured":"Wang, R., Chen, H., Zhu, Z., Liu, L., Zhang, Y., Fan, Y., & Wu, B. (2023). Robust backdoor attack with visible, semantic, sample-specific, and compatible triggers. arXiv preprint arXiv:2306.00816."},{"key":"2692_CR283","doi-asserted-by":"crossref","unstructured":"Wang, R., Guo, Y., & Wang, Y. (2024). Ags: Affordable and generalizable substitute training for transferable adversarial attack. In: AAAI.","DOI":"10.1609\/aaai.v38i6.28365"},{"key":"2692_CR284","doi-asserted-by":"crossref","unstructured":"Wang, Z., Guo, H., Zhang, Z., Liu, W., Qin, Z., & Ren, K. (2021). Feature importance-aware transferable adversarial attacks. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00754"},{"key":"2692_CR285","unstructured":"Wang, X., He, K., & Hopcroft, J.E. (2019). At-gan: A generative attack model for adversarial transferring on generative adversarial nets. arXiv preprint arXiv:1904.07793 3(4)."},{"key":"2692_CR286","doi-asserted-by":"crossref","unstructured":"Wang, X., He, X., Wang, J., & He, K. (2021) Admix: Enhancing the transferability of adversarial attacks. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.01585"},{"key":"2692_CR287","doi-asserted-by":"crossref","unstructured":"Wang, K., He, X., Wang, W., & Wang, X. (2024). Boosting adversarial transferability by block shuffle and rotation. In: CVPR.","DOI":"10.1109\/CVPR52733.2024.02297"},{"key":"2692_CR288","doi-asserted-by":"crossref","unstructured":"Wang, R., Huang, Z., Chen, Z., Liu, L., Chen, J., & Wang, L. (2022). Anti-forgery: Towards a stealthy and robust deepfake disruption attack via adversarial perceptual-aware perturbations. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/107"},{"key":"2692_CR289","unstructured":"Wang, J., Li, J., Li, Y., Qi, X., Hu, J., Li, Y., McDaniel, P., Chen, M., Li, B., & Xiao, C. (2024). Backdooralign: Mitigating fine-tuning based jailbreak attack with backdoor enhanced safety alignment. NeurIPS."},{"key":"2692_CR290","doi-asserted-by":"crossref","unstructured":"Wang, X., Lin, J., Hu, H., Wang, J., & He, K. (2021). Boosting adversarial transferability through enhanced momentum. In: BMVC.","DOI":"10.5244\/C.35.186"},{"key":"2692_CR291","doi-asserted-by":"crossref","unstructured":"Wang, Y., Liu, C., Qu, Y., Cao, H., Jiang, D., & Xu, L. (2024). Break the visual perception: Adversarial attacks targeting encoded visual tokens of large vision-language models. In: ACM MM.","DOI":"10.1145\/3664647.3680779"},{"key":"2692_CR292","doi-asserted-by":"crossref","unstructured":"Wang, X., Ren, J., Lin, S., Zhu, X., Wang, Y., & Zhang, Q. (2021). A unified approach to interpreting and boosting adversarial transferability. In: ICLR.","DOI":"10.5244\/C.35.186"},{"key":"2692_CR293","unstructured":"Wang, B., Xu, C., Wang, S., Gan, Z., Cheng, Y., Gao, J., Awadallah, A.H., & Li, B. (2021). Adversarial glue: A multi-task benchmark for robustness evaluation of language models. In: NeurIPS."},{"key":"2692_CR294","unstructured":"Wang, C., Yang, J., Yu, J., Lin, H., & Song, Y. (2024). Universal vulnerabilities in large language models: Backdoor attacks for in-context learning. In: EMNLP."},{"key":"2692_CR295","doi-asserted-by":"crossref","unstructured":"Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., & Zhao, B.Y. (2019). Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE S&P.","DOI":"10.1109\/SP.2019.00031"},{"key":"2692_CR296","doi-asserted-by":"crossref","unstructured":"Wang, T., Yao, Y., Xu, F., An, S., Tong, H., & Wang, T. (2022). An invisible black-box backdoor attack through frequency domain. In: ECCV.","DOI":"10.1007\/978-3-031-19778-9_23"},{"key":"2692_CR297","doi-asserted-by":"crossref","unstructured":"Wang, Z., Zhai, J., & Ma, S. (2022). Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01465"},{"key":"2692_CR298","doi-asserted-by":"crossref","unstructured":"Wang, X., Zhang, Z., & Zhang, J. (2023). Structure invariant transformation for better adversarial transferability. In: ICCV.","DOI":"10.1109\/ICCV51070.2023.00425"},{"key":"2692_CR299","doi-asserted-by":"crossref","unstructured":"Wang, Z., Zheng, S., Song, M., Wang, Q., Rahimpour, A., & Qi, H. (2019). advpattern: Physical-world attacks on deep person re-identification via adversarially transformable patterns. In: ICCV.","DOI":"10.1109\/ICCV.2019.00843"},{"key":"2692_CR300","doi-asserted-by":"crossref","unstructured":"Wang, R., Zhu, M., Ou, J., Chen, R., Tao, X., Wan, P., & Wu, B. (2025). Badvideo: Stealthy backdoor attack against text-to-video generation. In: ICCV.","DOI":"10.1109\/ICCV51701.2025.01773"},{"key":"2692_CR301","first-page":"16070","volume":"33","author":"H Wang","year":"2020","unstructured":"Wang, H., Sreenivasan, K., Rajput, S., Vishwakarma, H., Agarwal, S., Sohn, J.-Y., Lee, K., & Papailiopoulos, D. (2020). Attack of the tails: Yes, you really can backdoor federated learning. Advances in neural information processing systems, 33, 16070.","journal-title":"Advances in neural information processing systems"},{"key":"2692_CR302","first-page":"3091","volume":"17","author":"Y Wang","year":"2022","unstructured":"Wang, Y., Zhao, M., Li, S., Yuan, X., & Ni, W. (2022). Dispersed pixel perturbation-based imperceptible backdoor trigger for image classifier models. IEEE TIFS, 17, 3091\u20133106.","journal-title":"IEEE TIFS"},{"key":"2692_CR303","doi-asserted-by":"crossref","unstructured":"Wei, X., Zhu, J., Yuan, S., & Su, H. (2019). Sparse adversarial perturbations for videos. In: AAAI.","DOI":"10.1609\/aaai.v33i01.33018973"},{"key":"2692_CR304","unstructured":"Wen, Y., Geiping, J., Fowl, L., Souri, H., Chellappa, R., Goldblum, M., & Goldstein, T. (2022). Thinking two moves ahead: Anticipating other users improves backdoor attacks in federated learning. arXiv preprint arXiv:2210.09305."},{"key":"2692_CR305","doi-asserted-by":"crossref","unstructured":"Wenger, E., Passananti, J., Bhagoji, A.N., Yao, Y., Zheng, H., & Zhao, B.Y. (2021). Backdoor attacks against deep learning systems in the physical world. In: CVPR.","DOI":"10.1109\/CVPR46437.2021.00614"},{"issue":"1","key":"2692_CR306","first-page":"949","volume":"15","author":"D Wierstra","year":"2014","unstructured":"Wierstra, D., Schaul, T., Glasmachers, T., Sun, Y., Peters, J., & Schmidhuber, J. (2014). Natural evolution strategies. The Journal of Machine Learning Research, 15(1), 949\u2013980.","journal-title":"The Journal of Machine Learning Research"},{"key":"2692_CR307","unstructured":"Wong, E., & Kolter, J.Z. (2020). Learning perturbation sets for robust machine learning. In: ICLR."},{"key":"2692_CR308","unstructured":"Wong, E., Schmidt, F., & Kolter, Z. (2019). Wasserstein adversarial examples via projected sinkhorn iterations. In: ICML."},{"key":"2692_CR309","unstructured":"Wu, L., & Zhu, Z. (2020). Towards understanding and improving the transferability of adversarial examples in deep neural networks. In: ACML."},{"key":"2692_CR310","doi-asserted-by":"crossref","unstructured":"Wu, B., Chen, H., Zhang, M., Zhu, Z., Wei, S., Yuan, D., Zhu, M., Wang, R., Liu, L., & Shen, C. (2025). Backdoorbench: A comprehensive benchmark and analysis of backdoor learning. IJCV, 5700\u20135787.","DOI":"10.1007\/s11263-025-02447-x"},{"key":"2692_CR311","unstructured":"Wu, Y., Han, X., Qiu, H., & Zhang, T. (2026) Computation and data efficient backdoor attacks. In: ICCV."},{"key":"2692_CR312","doi-asserted-by":"crossref","unstructured":"Wu, Z., Lim, S.-N., Davis, L.S., & Goldstein, T. (2020). Making an invisibility cloak: Real world adversarial attacks on object detectors. In: ECCV.","DOI":"10.1007\/978-3-030-58548-8_1"},{"key":"2692_CR313","unstructured":"Wu, D., Wang, Y., Xia, S.-T., Bailey, J. & Ma, X. (2020). Skip connections matter: On the transferability of adversarial examples generated with resnets. In: ICLR."},{"key":"2692_CR314","doi-asserted-by":"crossref","unstructured":"Wu, B., Zhu, M., Zheng, M., Zhu, Z., Wei, S., Zhang, M., Chen, H., Yuan, D., Liu, L., & Liu, Q. (2026). Defenses in adversarial machine learning: A systematic survey from the lifecycle perspective. IEEE Transactions on Pattern Analysis and Machine Intelligence, 48(1), 876-895.","DOI":"10.1109\/TPAMI.2025.3611340"},{"key":"2692_CR315","unstructured":"Wu, B. BlackboxBench. https:\/\/github.com\/SCLBD\/BlackboxBench."},{"key":"2692_CR316","first-page":"10546","volume":"35","author":"B Wu","year":"2022","unstructured":"Wu, B., Chen, H., Zhang, M., Zhu, Z., Wei, S., Yuan, D., & Shen, C. (2022). Backdoorbench: A comprehensive benchmark of backdoor learning. Advances in Neural Information Processing Systems, 35, 10546.","journal-title":"Advances in Neural Information Processing Systems"},{"issue":"7","key":"2692_CR317","doi-asserted-by":"publisher","first-page":"1695","DOI":"10.1109\/TPAMI.2018.2845842","volume":"41","author":"B Wu","year":"2019","unstructured":"Wu, B., & Ghanem, B. (2019). Lp-box admm: A versatile framework for integer programming. IEEE Transactions on Pattern analysis and Machine Intelligence, 41(7), 1695\u20131708.","journal-title":"IEEE Transactions on Pattern analysis and Machine Intelligence"},{"key":"2692_CR318","doi-asserted-by":"crossref","unstructured":"Xia, P., Li, Z., Zhang, W., & Li, B. (2022). Data-efficient backdoor attacks. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/554"},{"key":"2692_CR319","doi-asserted-by":"crossref","unstructured":"Xia, P., Li, Z., Zhang, W., & Li, B. (2022). Data-efficient backdoor attacks. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/554"},{"key":"2692_CR320","unstructured":"Xiang, Z., Jiang, F., Xiong, Z., Ramasubramanian, B., Poovendran, R., & Li, B. (2024). Badchain: Backdoor chain-of-thought prompting for large language models. In: ICLR."},{"key":"2692_CR321","doi-asserted-by":"crossref","unstructured":"Xiang, Z., Miller, D.J., Chen, S., Li, X., & Kesidis, G. (2021). A backdoor attack against 3d point cloud classifiers. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00750"},{"key":"2692_CR322","doi-asserted-by":"crossref","unstructured":"Xiao, C., Li, B., Zhu, J.Y., He, W., Liu, M., & Song, D. (2018) Generating adversarial examples with adversarial networks. In: IJCAI.","DOI":"10.24963\/ijcai.2018\/543"},{"key":"2692_CR323","unstructured":"Xiao, C., Zhu, J.-Y., Li, B., He, W., Liu, M., & Song, D. (2018). Spatially transformed adversarial examples. In: ICLR."},{"key":"2692_CR324","first-page":"43549","volume":"37","author":"J Xia","year":"2024","unstructured":"Xia, J., Yue, Z., Zhou, Y., Ling, Z., Shi, Y., Wei, X., & Chen, M. (2024). Waveattack: Asymmetric frequency obfuscation-based backdoor attacks against deep neural networks. Advances in Neural Information Processing Systems, 37, 43549.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR325","unstructured":"Xie, C., Huang, K., Chen, P.-Y., & Li, B. (2019). Dba: Distributed backdoor attacks against federated learning. In: ICLR."},{"key":"2692_CR326","doi-asserted-by":"crossref","unstructured":"Xie, Y., Li, Z., Shi, C., Liu, J., Chen, Y., & Yuan, B. (2021). Enabling fast and universal audio adversarial attack using generative model. In: AAAI.","DOI":"10.1609\/aaai.v35i16.17663"},{"key":"2692_CR327","doi-asserted-by":"crossref","unstructured":"Xie, W., Niu, Z., Lin, Q., Song, S., & Shen, L. (2024). Generative imperceptible attack with feature learning bias reduction and multi-scale variance regularization. IEEE TIFS.","DOI":"10.1109\/TIFS.2024.3451689"},{"key":"2692_CR328","doi-asserted-by":"crossref","unstructured":"Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., & Yuille, A.L. (2019). Improving transferability of adversarial examples with input diversity. In: CVPR.","DOI":"10.1109\/CVPR.2019.00284"},{"key":"2692_CR329","doi-asserted-by":"crossref","unstructured":"Xiong, Y., Lin, J., Zhang, M., Hopcroft, J.E., & He, K. (2022). Stochastic variance reduced ensemble adversarial attack for boosting the adversarial transferability. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01456"},{"key":"2692_CR330","doi-asserted-by":"crossref","unstructured":"Xu, L., Chen, Y., Cui, G., Gao, H., & Liu, Z. (2022). Exploring the universal vulnerability of prompt-based learning paradigm. In: NAACL.","DOI":"10.18653\/v1\/2022.findings-naacl.137"},{"key":"2692_CR331","doi-asserted-by":"crossref","unstructured":"Xu, X., Chen, X., Liu, C., Rohrbach, A., Darrell, T., & Song, D. (2018). Fooling vision and language models despite localization and attention mechanism. In: CVPR.","DOI":"10.1109\/CVPR.2018.00520"},{"key":"2692_CR332","doi-asserted-by":"crossref","unstructured":"Xu, X., Chen, J., Xiao, J., Gao, L., Shen, F., & Shen, H.T. (2020). What machines see is not what they get: Fooling scene text recognition models with adversarial text images. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.01232"},{"key":"2692_CR333","doi-asserted-by":"crossref","unstructured":"Xu, X., Chen, J., Xiao, J., Wang, Z., Yang, Y., & Shen, H.T. (2020). Learning optimization-based adversarial perturbations for attacking sequential recognition models. In: ACM Multimedia.","DOI":"10.1145\/3394171.3413543"},{"key":"2692_CR334","unstructured":"Xu, K., Liu, S., Zhao, P., Chen, P.-Y., Zhang, H., Erdogmus, D., Wang, Y., & Lin, X. (2019). Structured adversarial attack: Towards general implementation and better interpretability. In: ICLR."},{"key":"2692_CR335","doi-asserted-by":"crossref","unstructured":"Xu, Y., Wu, B., Shen, F., Fan, Y., Zhang, Y., Shen, H.T., & Liu, W. (2019). Exact adversarial attack to image captioning via structured output learning with latent variables. In: CVPR.","DOI":"10.1109\/CVPR.2019.00426"},{"key":"2692_CR336","doi-asserted-by":"crossref","unstructured":"Xu, K., Zhang, G., Liu, S., Fan, Q., Sun, M., Chen, H., Chen, P.-Y., Wang, Y., & Lin, X. (2020). Adversarial t-shirt! evading person detectors in a physical world. In: ECCV.","DOI":"10.1007\/978-3-030-58558-7_39"},{"key":"2692_CR337","doi-asserted-by":"crossref","unstructured":"Xue, M., He, C., Wu, Y., Sun, S., Zhang, Y., Wang, J., & Liu, W. (2022). Ptb: Robust physical backdoor attacks against deep neural networks in real world. Computers & Security.","DOI":"10.1016\/j.cose.2022.102726"},{"key":"2692_CR338","doi-asserted-by":"publisher","first-page":"111","DOI":"10.1049\/cdt2.12056","volume":"17","author":"M Xue","year":"2023","unstructured":"Xue, M., Sun, S., He, C., Gu, D., Zhang, Y., Wang, J., & Liu, W. (2023). Activeguard: An active intellectual property protection technique for deep neural networks by leveraging adversarial examples as users\u2019 fingerprints. IET Computers & Digital Techniques, 17, 111.","journal-title":"IET Computers & Digital Techniques"},{"key":"2692_CR339","first-page":"65665","volume":"36","author":"J Xue","year":"2023","unstructured":"Xue, J., Zheng, M., Hua, T., Shen, Y., Liu, Y., Boloni, L., & Lou, Q. (2023). Trojllm: A black-box trojan prompt attack on large language models. Advances in Neural Information Processing Systems, 36, 65665.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR340","doi-asserted-by":"crossref","unstructured":"Yakura, H., & Sakuma, J. (2019). Robust audio adversarial example for a physical attack. In: IJCAI.","DOI":"10.24963\/ijcai.2019\/741"},{"key":"2692_CR341","doi-asserted-by":"crossref","unstructured":"Yan, Z., Li, G., TIan, Y., Wu, J., Li, S., Chen, M., & Poor, H.V. (2021). Dehib: Deep hidden backdoor attack on semi-supervised learning via adversarial perturbation. In: AAAI.","DOI":"10.1609\/aaai.v35i12.17266"},{"key":"2692_CR342","doi-asserted-by":"crossref","unstructured":"Yan, J., Yadav, V., Li, S., Chen, L., Tang, Z., Wang, H., Srinivasan, V., Ren, X., & Jin, H. (2024). Backdooring instruction-tuned large language models with virtual prompt injection. In: NAACL.","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"2692_CR343","unstructured":"Yan, Z., Zhang, Y., Yuan, X., Lyu, S., & Wu, B. (2023). Deepfakebench: a comprehensive benchmark of deepfake detection. In: NeurIPS D&B Track."},{"key":"2692_CR344","doi-asserted-by":"crossref","unstructured":"Yang, Y., Gao, R., Wang, X., Ho, T.-Y., Xu, N., & Xu, Q. (2024). Mma-diffusion: Multimodal attack on diffusion models. In: CVPR.","DOI":"10.1109\/CVPR52733.2024.00739"},{"key":"2692_CR345","unstructured":"Yang, F., Huang, Y., Wang, K., Shi, L., Pu, G., Liu, Y., & Wang, H. (2024). Efficient and effective universal adversarial attack against vision-language pre-training models. arXiv preprint arXiv:2410.11639."},{"key":"2692_CR346","doi-asserted-by":"crossref","unstructured":"Yang, Y., Hui, B., Yuan, H., Gong, N., & Cao, Y. (2024). Sneakyprompt: Jailbreaking text-to-image generative models. In: IEEE S&P, pp. 897\u2013912.","DOI":"10.1109\/SP54263.2024.00123"},{"key":"2692_CR347","first-page":"12288","volume":"33","author":"J Yang","year":"2020","unstructured":"Yang, J., Jiang, Y., Huang, X., Ni, B., & Zhao, C. (2020). Learning black-box attackers with transferable priors and query feedback. Advances in Neural Information Processing Systems, 33, 12288.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR348","doi-asserted-by":"crossref","unstructured":"Yao, Y., Li, H., Zheng, H., & Zhao, B.Y. (2019). Latent backdoor attacks on deep neural networks. In: ACM CCS.","DOI":"10.1145\/3319535.3354209"},{"key":"2692_CR349","doi-asserted-by":"crossref","unstructured":"Yao, H., Lou, J., & Qin, Z. (2023). Poisonprompt: Backdoor attack on prompt-based large language models. arXiv preprint arXiv:2310.12439.","DOI":"10.1109\/ICASSP48485.2024.10446267"},{"key":"2692_CR350","first-page":"30181","volume":"34","author":"M Yatsura","year":"2021","unstructured":"Yatsura, M., Metzen, J., & Hein, M. (2021). Meta-learning the search distribution of black-box random search based adversarial attacks. Advances in Neural Information Processing Systems, 34, 30181.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR351","doi-asserted-by":"publisher","first-page":"6657","DOI":"10.1609\/aaai.v38i7.28488","volume":"38","author":"J Ye","year":"2024","unstructured":"Ye, J., Yu, R., Liu, S., & Wang, X. (2024). Mutual-modality adversarial attack with semantic perturbation. Proceedings of the AAAI Conference on Artificial Intelligence, 38, 6657\u20136665.","journal-title":"Proceedings of the AAAI Conference on Artificial Intelligence"},{"issue":"3","key":"2692_CR352","doi-asserted-by":"publisher","first-page":"1804","DOI":"10.1109\/TPAMI.2022.3194988","volume":"46","author":"F Yin","year":"2023","unstructured":"Yin, F., Zhang, Y., Wu, B., Feng, Y., Zhang, J., Fan, Y., & Yang, Y. (2023). Generalizable black-box adversarial attack with meta learning. IEEE Transactions on Pattern Analysis and Machine Intelligence, 46(3), 1804\u20131818.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"},{"key":"2692_CR353","doi-asserted-by":"crossref","unstructured":"Yu, C.-N.J., & Joachims, T. (2009). Learning structural svms with latent variables. In: ICML.","DOI":"10.1145\/1553374.1553523"},{"key":"2692_CR354","unstructured":"Yu, L., Liu, S., Miao, Y., Gao, X.-S., & Zhang, L. (2024). Generalization bound and new algorithm for clean-label backdoor attack. In: ICML."},{"key":"2692_CR355","doi-asserted-by":"crossref","unstructured":"Yu, P., Song, K., & Lu, J. (2018). Generating adversarial examples with conditional generative adversarial net. In: ICPR.","DOI":"10.1109\/ICPR.2018.8545152"},{"key":"2692_CR356","doi-asserted-by":"crossref","unstructured":"Yu, Y., Wang, Y., Yang, W., Lu, S., Tan, Y.-P., & Kot, A.C. (2023). Backdoor attacks against deep image compression via adaptive frequency trigger. In: CVPR.","DOI":"10.1109\/CVPR52729.2023.01179"},{"key":"2692_CR357","doi-asserted-by":"crossref","unstructured":"Yuan, J., & He, Z. (2021). Consistency-sensitivity guided ensemble black-box adversarial attacks in low-dimensional spaces. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00768"},{"key":"2692_CR358","doi-asserted-by":"crossref","unstructured":"Yuan, Z., Zhang, J., Jia, Y., Tan, C., Xue, T., & Shan, S. (2021). Meta gradient adversarial attack. In: ICCV.","DOI":"10.1109\/ICCV48922.2021.00765"},{"issue":"1","key":"2692_CR359","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1111\/j.1467-9868.2005.00532.x","volume":"68","author":"M Yuan","year":"2006","unstructured":"Yuan, M., & Lin, Y. (2006). Model selection and estimation in regression with grouped variables. Journal of the Royal Statistical Society: Series B, 68(1), 49\u201367.","journal-title":"Journal of the Royal Statistical Society: Series B"},{"key":"2692_CR360","doi-asserted-by":"crossref","unstructured":"Zeng, G., Qi, F., Zhou, Q., Zhang, T., Hou, B., Zang, Y., Liu, Z., & Sun, M. (2021). Openattack: An open-source textual adversarial attack toolkit. In: ACL and IJCNLP: System Demonstrations.","DOI":"10.18653\/v1\/2021.acl-demo.43"},{"key":"2692_CR361","doi-asserted-by":"crossref","unstructured":"Zhai, S., Dong, Y., Shen, Q., Pu, S., Fang, Y., & Su, H. (2023). Text-to-image diffusion models can be easily backdoored through multimodal data poisoning. In: ACM MM.","DOI":"10.1145\/3581783.3612108"},{"key":"2692_CR362","doi-asserted-by":"crossref","unstructured":"Zhang, C., Benz, P., Imtiaz, T., & Kweon, I.-S. (2020). Cd-uap: Class discriminative universal adversarial perturbation. In: AAAI.","DOI":"10.1609\/aaai.v34i04.6154"},{"key":"2692_CR363","doi-asserted-by":"crossref","unstructured":"Zhang, Q., Ding, Y., Tian, Y., Guo, J., Yuan, M., & Jiang, Y. (2021). Advdoor: Adversarial backdoor attack of deep learning system. In: ISSTA.","DOI":"10.1145\/3460319.3464809"},{"key":"2692_CR364","doi-asserted-by":"crossref","unstructured":"Zhang, J., Huang, Y., Xu, Z., Wu, W., & Lyu, M.R. (2024). Improving the adversarial transferability of vision transformers with virtual dense connection. In: AAAI.","DOI":"10.1609\/aaai.v38i7.28541"},{"key":"2692_CR365","unstructured":"Zhang, Z., Lyu, L., Wang, W., Sun, L., & Sun, X. (2021). How to inject backdoors with better consistency: Logit anchoring on clean data. In: ICLR."},{"key":"2692_CR366","unstructured":"Zhang, Z., Panda, A., Song, L., Yang, Y., Mahoney, M., Mittal, P., Kannan, R., & Gonzalez, J. (2022). Neurotoxin: durable backdoors in federated learning. In: ICML."},{"key":"2692_CR367","unstructured":"Zhang, W., Qian, J., Fu, X., et\u00a0al. (2023). Image hijacks: Adversarial images can control generative models at runtime. arXiv preprint arXiv:2308.12378."},{"key":"2692_CR368","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Ruan, W., Wang, F., & Huang, X. (2020). Generalizing universal adversarial attacks beyond additive perturbations. In: ICDM.","DOI":"10.1109\/ICDM50108.2020.00186"},{"key":"2692_CR369","doi-asserted-by":"crossref","unstructured":"Zhang, J., Sang, J., Zhao, X., Huang, X., Sun, Y., & Hu, Y. (2020). Adversarial privacy-preserving filter. In: ACM MM, pp. 1423\u20131431.","DOI":"10.1145\/3394171.3413906"},{"key":"2692_CR370","doi-asserted-by":"crossref","unstructured":"Zhang, J., Wu, W., Huang, J.-T., Huang, Y., Wang, W., Su, Y., & Lyu, M.R. (2022). Improving adversarial transferability via neuron attribution-based attacks. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01457"},{"key":"2692_CR371","unstructured":"Zhang, J., Ye, J., Ma, X., Li, Y., Yang, Y., Sang, J., & Yeung, D.-Y. (2024) Anyattack: Targeted adversarial attacks on vision-language models toward any images. arXiv preprint arXiv:2410.05346."},{"key":"2692_CR372","doi-asserted-by":"crossref","unstructured":"Zhang, X., Zhang, Z., Ji, S., & Wang, T. (2021). Trojaning language models for fun and profit. In: IEEE EuroS&P.","DOI":"10.1109\/EuroSP51992.2021.00022"},{"key":"2692_CR373","doi-asserted-by":"publisher","first-page":"5691","DOI":"10.1109\/TIP.2022.3201472","volume":"31","author":"J Zhang","year":"2022","unstructured":"Zhang, J., Dongdong, C., Huang, Q., Liao, J., Zhang, W., Feng, H., Hua, G., & Yu, N. (2022). Poison ink: Robust and invisible backdoor attack. IEEE Transactions on Image Processing, 31, 5691\u20135705.","journal-title":"IEEE Transactions on Image Processing"},{"key":"2692_CR374","doi-asserted-by":"publisher","first-page":"2018","DOI":"10.1109\/TCE.2023.3337207","volume":"70","author":"G Zhang","year":"2023","unstructured":"Zhang, G., Gao, M., Li, Q., Zhai, W., Zou, G., & Jeon, G. (2023). Disrupting deepfakes via union-saliency adversarial attack. IEEE Transactions on Consumer Electronics, 70, 2018.","journal-title":"IEEE Transactions on Consumer Electronics"},{"key":"2692_CR375","first-page":"61213","volume":"36","author":"H Zhang","year":"2023","unstructured":"Zhang, H., Jia, J., Chen, J., Lin, L., & Wu, D. (2023). A3fl: Adversarially adaptive backdoor attacks to federated learning. Advances in neural information processing systems, 36, 61213.","journal-title":"Advances in neural information processing systems"},{"issue":"7","key":"2692_CR376","first-page":"2578","volume":"31","author":"J Zhang","year":"2019","unstructured":"Zhang, J., & Li, C. (2019). Adversarial examples: Opportunities and challenges. Transactions on Neural Networks and Learning Systems, 31(7), 2578\u20132593.","journal-title":"Transactions on Neural Networks and Learning Systems"},{"key":"2692_CR377","doi-asserted-by":"publisher","first-page":"4628","DOI":"10.1109\/TIFS.2024.3383648","volume":"19","author":"Y Zhang","year":"2024","unstructured":"Zhang, Y., Ye, D., Xie, C., Tang, L., Liao, X., Liu, Z., Chen, C., & Deng, J. (2024). Dual defense: Adversarial, traceable, and invisible robust watermarking against face swapping. IEEE Transactions on Information Forensics and Security, 19, 4628.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR378","doi-asserted-by":"publisher","first-page":"2558","DOI":"10.1109\/TIP.2024.3378918","volume":"33","author":"Z Zhang","year":"2024","unstructured":"Zhang, Z., Yuan, X., Zhu, L., Song, J., & Nie, L. (2024). Badcm: Invisible backdoor attack against cross-modal learning. IEEE Transactions on Image Processing, 33, 2558.","journal-title":"IEEE Transactions on Image Processing"},{"key":"2692_CR379","doi-asserted-by":"crossref","unstructured":"Zhao, Z., Chen, X., Xuan, Y., Dong, Y., Wang, D., & Liang, K. (2022). Defeat: Deep hidden feature backdoor attacks by imperceptible perturbation and latent representation constraints. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01478"},{"key":"2692_CR380","doi-asserted-by":"crossref","unstructured":"Zhao, P., Liu, S., Wang, Y., & Lin, X. (2018). An admm-based universal framework for adversarial attacks on deep neural networks. In: ACM Multimedia.","DOI":"10.1145\/3240508.3240639"},{"key":"2692_CR381","doi-asserted-by":"crossref","unstructured":"Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., & Jiang, Y.-G. (2020). Clean-label backdoor attacks on video recognition models. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.01445"},{"key":"2692_CR382","doi-asserted-by":"crossref","unstructured":"Zhao, P., Wang, S., Gongye, C., Wang, Y., Fei, Y., & Lin, X. (2019). Fault sneaking attack: A stealthy framework for misleading deep neural networks. In: ACM\/IEEE DAC.","DOI":"10.1145\/3316781.3317825"},{"key":"2692_CR383","doi-asserted-by":"crossref","unstructured":"Zhao, G., Zhang, M., Liu, J., Li, Y., & Wen, J.-R. (2022). Ap-gan: Adversarial patch attack on content-based image retrieval systems. GeoInformatica, 1\u201331.","DOI":"10.1007\/s10707-020-00418-7"},{"key":"2692_CR384","doi-asserted-by":"crossref","unstructured":"Zhao, Y., Zhu, H., Liang, R., Shen, Q., Zhang, S., & Chen, K. (2019). Seeing isn\u2019t believing: Towards more robust adversarial attack against real world object detectors. In: ACM CCS.","DOI":"10.1145\/3319535.3354259"},{"key":"2692_CR385","first-page":"6115","volume":"34","author":"Z Zhao","year":"2021","unstructured":"Zhao, Z., Liu, Z., & Larson, M. (2021). On success and simplicity: A second look at transferable targeted attacks. Advances in Neural Information Processing Systems, 34, 6115.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR386","first-page":"54111","volume":"36","author":"Y Zhao","year":"2024","unstructured":"Zhao, Y., Pang, T., Du, C., Yang, X., Li, C., Cheung, N.-M.M., & Lin, M. (2024). On evaluating adversarial robustness of large vision-language models. Advances in Neural Information Processing Systems, 36, 54111.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2692_CR387","doi-asserted-by":"crossref","unstructured":"Zheng, X., Fan, Y., Wu, B., Zhang, Y., Wang, J., & Pan, S. (2023). Robust physical-world attacks on face recognition. Pattern Recognition,133, Article 109009.","DOI":"10.1016\/j.patcog.2022.109009"},{"key":"2692_CR388","doi-asserted-by":"crossref","unstructured":"Zheng, M., Wu, K., Fan, Y., Huang, R., & Wu, B. (2025). Seeking flat minima over diverse surrogates for improved adversarial transferability: A theoretical framework and algorithmic instantiation. arXiv preprint arXiv:2504.16474.","DOI":"10.1109\/TPAMI.2026.3679726"},{"key":"2692_CR389","doi-asserted-by":"crossref","unstructured":"Zheng, M., Yan, X., Zhu, Z., Chen, H., & Wu, B. (2025). Blackboxbench: A comprehensive benchmark of black-box adversarial attacks. IEEE Transactions on Pattern Analysis and Machine Intelligence.","DOI":"10.1109\/TPAMI.2025.3574432"},{"key":"2692_CR390","doi-asserted-by":"crossref","unstructured":"Zheng, Q., Yu, Y., Yang, S., Liu, J., Lam, K.-Y., & Kot, A. (2024). Towards physical world backdoor attacks against skeleton action recognition. In: ECCV.","DOI":"10.1007\/978-3-031-73195-2_13"},{"key":"2692_CR391","doi-asserted-by":"crossref","unstructured":"Zhong, H., Liao, C., Squicciarini, A.C., Zhu, S., & Miller, D. (2020). Backdoor embedding in convolutional neural network models via invisible perturbation. In: ACM CODASPY.","DOI":"10.1145\/3374664.3375751"},{"key":"2692_CR392","doi-asserted-by":"crossref","unstructured":"Zhong, N., Qian, Z., & Zhang, X. (2022). Imperceptible backdoor attack: from input space to feature representation. In: IJCAI.","DOI":"10.24963\/ijcai.2022\/242"},{"key":"2692_CR393","doi-asserted-by":"crossref","unstructured":"Zhou, H., Chen, D., Liao, J., Chen, K., Dong, X., Liu, K., Zhang, W., Hua, G., & Yu, N. (2020). Lg-gan: Label guided adversarial network for flexible targeted attack of point cloud based deep networks. In: CVPR.","DOI":"10.1109\/CVPR42600.2020.01037"},{"key":"2692_CR394","doi-asserted-by":"crossref","unstructured":"Zhou, L., Cui, P., Zhang, X., Jiang, Y., & Yang, S. (2022). Adversarial eigen attack on black-box models. In: CVPR.","DOI":"10.1109\/CVPR52688.2022.01482"},{"key":"2692_CR395","doi-asserted-by":"crossref","unstructured":"Zhu, Z., Chen, H., Wang, X., Zhang, J., Jin, Z., Choo, K.-K.R., Shen, J., & Yuan, D. (2025). Ge-advgan: Improving the transferability of adversarial samples by gradient editing-based adversarial generative model. In: SDM.","DOI":"10.1137\/1.9781611978032.81"},{"key":"2692_CR396","doi-asserted-by":"crossref","unstructured":"Zhu, D., Li, Y., Zhou, J., Wu, B., Wang, Z., & Lyu, S. (2025). Hiding faces in plain sight: Defending DeepFakes by disrupting face detection. IEEE Transactions on Dependable and Secure Computing, 22(6), 7010-7024.","DOI":"10.1109\/TDSC.2025.3592230"},{"key":"2692_CR397","doi-asserted-by":"crossref","unstructured":"Zhu, Y., Sun, J., & Li, Z. (2022). Rethinking adversarial transferability from a data distribution perspective. In: ICLR.","DOI":"10.1109\/TIP.2022.3211736"},{"key":"2692_CR398","unstructured":"Zhu, S., Zhang, R., An, B., Wu, G., Barrow, J., Wang, Z., Huang, F., Nenkova, A., & Sun, T. (2023). Autodan: Automatic and interpretable adversarial attacks on large language models. arXiv preprint arXiv:2310.15140."},{"key":"2692_CR399","unstructured":"Zhu, Z., Zhang, M., Wei, S., Shen, L., Fan, Y., & Wu, B. (2023). Boosting backdoor attack with a learnable poisoning sample selection strategy. arXiv preprint arXiv:2307.07328."},{"key":"2692_CR400","doi-asserted-by":"crossref","unstructured":"Zhuang, H., Zhang, Y., & Liu, S. (2023). A pilot study of query-free adversarial attack against stable diffusion. In: CVPR.","DOI":"10.1109\/CVPRW59228.2023.00236"},{"key":"2692_CR401","doi-asserted-by":"crossref","unstructured":"Zhu, Y., Chen, Y., Li, X., Chen, K., He, Y., Tian, X., Zheng, B., Chen, Y., & Huang, Q. (2022). Toward understanding and boosting adversarial transferability from a distribution perspective. IEEE Transactions on Image Processing,31, 6487\u20136501.","DOI":"10.1109\/TIP.2022.3211736"},{"key":"2692_CR402","doi-asserted-by":"publisher","first-page":"2046","DOI":"10.1109\/TIFS.2023.3262156","volume":"18","author":"Y Zhu","year":"2023","unstructured":"Zhu, Y., Chen, Y., Li, X., Zhang, R., Tian, X., Zheng, B., & Chen, Y. (2023). Information-containing adversarial perturbation for combating facial manipulation systems. IEEE Transactions on Information Forensics and Security, 18, 2046.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"2692_CR403","volume":"37","author":"M Zhu","year":"2025","unstructured":"Zhu, M., Liang, S., & Wu, B. (2025). Breaking the false sense of security in backdoor defense through re-activation attack. Advances in Neural Information Processing Systems, 37, Article 114928.","journal-title":"Advances in Neural Information Processing Systems"}],"container-title":["International Journal of Computer Vision"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11263-025-02692-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11263-025-02692-0","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11263-025-02692-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T08:14:09Z","timestamp":1781770449000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11263-025-02692-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,7]]},"references-count":403,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2026,5]]}},"alternative-id":["2692"],"URL":"https:\/\/doi.org\/10.1007\/s11263-025-02692-0","relation":{},"ISSN":["0920-5691","1573-1405"],"issn-type":[{"value":"0920-5691","type":"print"},{"value":"1573-1405","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,7]]},"assertion":[{"value":"25 January 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 August 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 April 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"This manuscript is a survey without any evaluation; therefore, it is irrelevant to any code.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Code availability"}}],"article-number":"197"}}