{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T16:31:43Z","timestamp":1775147503874,"version":"3.50.1"},"reference-count":488,"publisher":"Springer Science and Business Media LLC","issue":"8","license":[{"start":{"date-parts":[[2025,7,3]],"date-time":"2025-07-03T00:00:00Z","timestamp":1751500800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,7,3]],"date-time":"2025-07-03T00:00:00Z","timestamp":1751500800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Sci. China Inf. Sci."],"published-print":{"date-parts":[[2025,8]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Artificial intelligence (AI) is revolutionizing both industries and reshaping the global economy. However, the rapid advancement of AI technologies brings significant security and privacy challenges. Recent incidents highlight vulnerabilities in AI systems, such as data leakage and malicious code injection, leading to severe financial losses and privacy breaches. Although existing studies have discussed specific security threats, they often lack detailed granularity and cover a limited scope. In this survey, we fill this gap by systematically categorizing and analyzing the threats and countermeasures in AI systems, which span both the training and inference stages, encompass centralized and distributed settings, and address both conventional and foundation AI models. By reviewing existing literature, we aim to provide AI researchers and practitioners with a thorough understanding of system vulnerabilities and current countermeasures. We hope to inspire further research into robust solutions, ultimately contributing to the development of resilient AI technologies.<\/jats:p>","DOI":"10.1007\/s11432-025-4388-5","type":"journal-article","created":{"date-parts":[[2025,7,5]],"date-time":"2025-07-05T10:45:53Z","timestamp":1751712353000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Artificial intelligence security and privacy: a survey"],"prefix":"10.1007","volume":"68","author":[{"given":"Xinlei","family":"He","sequence":"first","affiliation":[]},{"given":"Guowen","family":"Xu","sequence":"additional","affiliation":[]},{"given":"Xingshuo","family":"Han","sequence":"additional","affiliation":[]},{"given":"Qian","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Lingchen","family":"Zhao","sequence":"additional","affiliation":[]},{"given":"Chao","family":"Shen","sequence":"additional","affiliation":[]},{"given":"Chenhao","family":"Lin","sequence":"additional","affiliation":[]},{"given":"Zhengyu","family":"Zhao","sequence":"additional","affiliation":[]},{"given":"Qian","family":"Li","sequence":"additional","affiliation":[]},{"given":"Le","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Shouling","family":"Ji","sequence":"additional","affiliation":[]},{"given":"Shaofeng","family":"Li","sequence":"additional","affiliation":[]},{"given":"Haojin","family":"Zhu","sequence":"additional","affiliation":[]},{"given":"Zhibo","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Rui","family":"Zheng","sequence":"additional","affiliation":[]},{"given":"Tianqing","family":"Zhu","sequence":"additional","affiliation":[]},{"given":"Qi","family":"Li","sequence":"additional","affiliation":[]},{"given":"Chaoxiang","family":"He","sequence":"additional","affiliation":[]},{"given":"Qifan","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Hongsheng","family":"Hu","sequence":"additional","affiliation":[]},{"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Shi-Feng","family":"Sun","sequence":"additional","affiliation":[]},{"given":"Hongwei","family":"Yao","sequence":"additional","affiliation":[]},{"given":"Zhan","family":"Qin","sequence":"additional","affiliation":[]},{"given":"Kai","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Yue","family":"Zhao","sequence":"additional","affiliation":[]},{"given":"Hongwei","family":"Li","sequence":"additional","affiliation":[]},{"given":"Xinyi","family":"Huang","sequence":"additional","affiliation":[]},{"given":"Dengguo","family":"Feng","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,3]]},"reference":[{"key":"4388_CR1","unstructured":"Radford A, Wu J, Child R, et al. Language models are unsupervised multitask learners. 2019. https:\/\/cdn.openai.com\/better-language-models\/language_models_are_unsupervised_multitask_learners.pdf"},{"key":"4388_CR2","unstructured":"Brown T B, Mann B, Ryder N, et al. Language models are few-shot learners. 2020. ArXiv:2005.14165"},{"key":"4388_CR3","first-page":"69","volume-title":"Proceedings of IEEE Security and Privacy Workshops (SPW)","author":"R S S Kumar","year":"2020","unstructured":"Kumar R S S, Nystr\u00f6m M, Lambert J, et al. Adversarial machine learning-industry perspectives. In: Proceedings of IEEE Security and Privacy Workshops (SPW), 2020. 69\u201375"},{"key":"4388_CR4","doi-asserted-by":"publisher","first-page":"212103","DOI":"10.1007\/s11432-023-3877-9","volume":"67","author":"R M Chen","year":"2024","unstructured":"Chen R M, Chen J R, Huang X Y, et al. RCCA-SM9: securing SM9 on corrupted machines. Sci China Inf Sci, 2024, 67: 212103","journal-title":"Sci China Inf Sci"},{"key":"4388_CR5","doi-asserted-by":"publisher","first-page":"122101","DOI":"10.1007\/s11432-022-3706-7","volume":"67","author":"X H Liu","year":"2024","unstructured":"Liu X H, Huang X Y, Cheng Z H, et al. Fault-tolerant identity-based encryption from SM9. Sci China Inf Sci, 2024, 67: 122101","journal-title":"Sci China Inf Sci"},{"key":"4388_CR6","doi-asserted-by":"publisher","first-page":"182302","DOI":"10.1007\/s11432-023-4010-4","volume":"67","author":"X Luo","year":"2024","unstructured":"Luo X, Liu C, Gou G P, et al. Identifying malicious traffic under concept drift based on intraclass consistency enhanced variational autoencoder. Sci China Inf Sci, 2024, 67: 182302","journal-title":"Sci China Inf Sci"},{"key":"4388_CR7","doi-asserted-by":"publisher","first-page":"182303","DOI":"10.1007\/s11432-023-4013-x","volume":"67","author":"Y W Tong","year":"2024","unstructured":"Tong Y W, Feng Q, Luo M, et al. Multi-party privacy-preserving decision tree training with a privileged party. Sci China Inf Sci, 2024, 67: 182303","journal-title":"Sci China Inf Sci"},{"key":"4388_CR8","doi-asserted-by":"publisher","first-page":"132101","DOI":"10.1007\/s11432-022-3507-7","volume":"67","author":"Y Li","year":"2023","unstructured":"Li Y, Yan H Y, Huang T, et al. Model architecture level privacy leakage in neural networks. Sci China Inf Sci, 2023, 67: 132101","journal-title":"Sci China Inf Sci"},{"key":"4388_CR9","doi-asserted-by":"publisher","first-page":"112103","DOI":"10.1007\/s11432-021-3673-6","volume":"67","author":"H Li","year":"2023","unstructured":"Li H, Cao S Y, Chen Y Q, et al. TULAM: trajectory-user linking via attention mechanism. Sci China Inf Sci, 2023, 67: 112103","journal-title":"Sci China Inf Sci"},{"key":"4388_CR10","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"W Li","year":"2025","unstructured":"Li W, Wang J, Zhang G, et al. EMIRIS: eavesdropping on IRIS information via electromagnetic side channel. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR11","doi-asserted-by":"publisher","first-page":"109643","DOI":"10.1016\/j.compeleceng.2024.109643","volume":"119","author":"M M Saeed","year":"2024","unstructured":"Saeed M M, Alsharidah M. Security, privacy, and robustness for trustworthy AI systems: a review. Comput Electrical Eng, 2024, 119: 109643","journal-title":"Comput Electrical Eng"},{"key":"4388_CR12","first-page":"179","volume-title":"Proceedings of International Conference on Knowledge Science, Engineering and Management (KSEM)","author":"J Zou","year":"2024","unstructured":"Zou J, Zhang S, Qiu M. Different attack and defense types for AI cybersecurity. In: Proceedings of International Conference on Knowledge Science, Engineering and Management (KSEM), 2024. 179\u2013192"},{"key":"4388_CR13","first-page":"1","volume":"7","author":"K Ren","year":"2021","unstructured":"Ren K, Meng Q, Yan S, et al. Survey of artificial intelligence data security and privacy protection. Chin J Netw Inf Secur, 2021, 7: 1\u201310","journal-title":"Chin J Netw Inf Secur"},{"key":"4388_CR14","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3487890","volume":"55","author":"Y Hu","year":"2021","unstructured":"Hu Y, Kuang W, Qin Z, et al. Artificial intelligence security: threats and countermeasures. ACM Comput Surv, 2021, 55: 1\u201336","journal-title":"ACM Comput Surv"},{"key":"4388_CR15","first-page":"1834","volume-title":"Proceedings of IEEE Annual Computers, Software, and Applications Conference (COMPSAC)","author":"M M Rahman","year":"2023","unstructured":"Rahman M M, Arshi A S, Hasan M M, et al. Security risk and attacks in AI: a survey of security and privacy. In: Proceedings of IEEE Annual Computers, Software, and Applications Conference (COMPSAC), 2023. 1834\u20131839"},{"key":"4388_CR16","first-page":"2627","volume-title":"Proceedings of Journal of Computer Research and Development","author":"Z Qin","year":"2024","unstructured":"Qin Z, Zhuang T, Zhu G, et al. Survey of security attack and defense strategies for artificial intelligence model. In: Proceedings of Journal of Computer Research and Development, 2024. 2627\u20132648"},{"key":"4388_CR17","doi-asserted-by":"publisher","first-page":"1640","DOI":"10.1057\/s41284-024-00435-3","volume":"37","author":"P Radanliev","year":"2024","unstructured":"Radanliev P. Digital security by design. Secur J, 2024, 37: 1640\u20131679","journal-title":"Secur J"},{"key":"4388_CR18","doi-asserted-by":"publisher","first-page":"747","DOI":"10.1007\/s12530-022-09431-7","volume":"13","author":"P Radanliev","year":"2022","unstructured":"Radanliev P, de Roure D, Maple C, et al. Super-forecasting the \u2018technological singularity\u2019 risks from artificial intelligence. Evolving Syst, 2022, 13: 747\u2013757","journal-title":"Evolving Syst"},{"key":"4388_CR19","first-page":"3945","volume-title":"Proceedings of International Joint Conferences on Artificial Intelligence (IJCAI)","author":"M Zhao","year":"2017","unstructured":"Zhao M, An B, Gao W, et al. Efficient label contamination attacks against black-box learning models. In: Proceedings of International Joint Conferences on Artificial Intelligence (IJCAI), 2017. 3945\u20133951"},{"key":"4388_CR20","first-page":"1885","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"P W Koh","year":"2017","unstructured":"Koh P W, Liang P. Understanding black-box predictions via influence functions. In: Proceedings of International Conference on Machine Learning (ICML), 2017. 1885\u20131894"},{"key":"4388_CR21","first-page":"19","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"M Jagielski","year":"2018","unstructured":"Jagielski M, Oprea A, Biggio B, et al. Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2018. 19\u201335"},{"key":"4388_CR22","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1145\/3128572.3140451","volume-title":"Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security","author":"L Mu\u00f1oz-Gonz\u00e1lez","year":"2017","unstructured":"Mu\u00f1oz-Gonz\u00e1lez L, Biggio B, Demontis A, et al. Towards poisoning of deep learning algorithms with back-gradient optimization. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, 2017. 27\u201338"},{"key":"4388_CR23","first-page":"2671","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"P Lv","year":"2023","unstructured":"Lv P, Yue C, Liang R, et al. A data-free backdoor injection approach in neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 2671\u20132688"},{"key":"4388_CR24","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Y Liu","year":"2023","unstructured":"Liu Y, Li Z, Backes M, et al. Backdoor attacks against dataset distillation. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR25","first-page":"703","volume-title":"Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)","author":"A Salem","year":"2022","unstructured":"Salem A, Wen R, Backes M, et al. Dynamic backdoor attacks against machine learning models. In: Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P), 2022. 703\u2013718"},{"key":"4388_CR26","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"X Gong","year":"2022","unstructured":"Gong X, Chen Y, Dong J, et al. ATTEQ-NN: attention-based QoE-aware evasive backdoor attacks. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR27","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"G Abad","year":"2024","unstructured":"Abad G, Ersoy O, Picek S, et al. Sneaky spikes: uncovering stealthy backdoor attacks in spiking neural networks with neuromorphic data. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR28","doi-asserted-by":"publisher","first-page":"678","DOI":"10.1145\/3503161.3548272","volume-title":"Proceedings of ACM International Conference on Multimedia (MM)","author":"S Hu","year":"2022","unstructured":"Hu S, Zhou Z, Zhang Y, et al. BadHash: invisible backdoor attacks against deep hashing with clean label. In: Proceedings of ACM International Conference on Multimedia (MM), 2022. 678\u2013686"},{"key":"4388_CR29","first-page":"1646","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"J Lan","year":"2024","unstructured":"Lan J, Wang J, Yan B, et al. FlowMur: a stealthy and practical audio backdoor attack with limited knowledge. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 1646\u20131664"},{"key":"4388_CR30","first-page":"113","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Lin","year":"2020","unstructured":"Lin J, Xu L, Liu Y, et al. Composite backdoor attack for deep neural network by mixing existing benign features. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 113\u2013131"},{"key":"4388_CR31","first-page":"16443","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"Y Li","year":"2021","unstructured":"Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2021. 16443\u201316452"},{"key":"4388_CR32","first-page":"18944","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"K D Doan","year":"2021","unstructured":"Doan K D, Lao Y, Li P. Backdoor attack with imperceptible input and latent modification. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2021. 18944\u201318957"},{"key":"4388_CR33","first-page":"2124","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Qiu","year":"2024","unstructured":"Qiu H, Sun J, Zhang M, et al. BELT: old-school backdoor attacks can evade the state-of-the-art defense with backdoor exclusivity lifting. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2124\u20132141"},{"key":"4388_CR34","first-page":"3385","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Han","year":"2024","unstructured":"Han X, Wu Y, Zhang Q, et al. Backdooring multimodal learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 3385\u20133403"},{"key":"4388_CR35","first-page":"1141","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Oh","year":"2024","unstructured":"Oh S, Lee K, Park S, et al. Poisoned ChatGPT finds work for idle hands: exploring developers\u2019 coding practices with insecure suggestions from poisoned AI models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 1141\u20131159"},{"key":"4388_CR36","first-page":"3104","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Jagielski","year":"2021","unstructured":"Jagielski M, Severi G, Harger N P, et al. Subpopulation data poisoning attacks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 3104\u20133122"},{"key":"4388_CR37","doi-asserted-by":"crossref","unstructured":"Huang H, Mu J, Gong N Z, et al. Data poisoning attacks to deep learning based recommender systems. 2021. ArXiv:2101.02644","DOI":"10.14722\/ndss.2021.24525"},{"key":"4388_CR38","first-page":"7285","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Chen","year":"2024","unstructured":"Chen M, Xu X, Lu L, et al. Devil in the room: triggering audio backdoors in the physical world. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 7285\u20137302"},{"key":"4388_CR39","unstructured":"Gu T, Dolan-Gavitt B, Garg S. BadNets: identifying vulnerabilities in the machine learning model supply chain. 2017. ArXiv:1708.06733"},{"key":"4388_CR40","first-page":"15054","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Z Wang","year":"2022","unstructured":"Wang Z, Zhai J, Ma S. BppAttack: stealthy and efficient Trojan attacks against deep neural networks via image quantization and contrastive adversarial learning. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2022. 15054\u201315063"},{"key":"4388_CR41","first-page":"6106","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"A Shafahi","year":"2018","unstructured":"Shafahi A, Huang W R, Najibi M, et al. Poison frogs! Targeted clean-label poisoning attacks on neural networks. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2018. 6106\u20136116"},{"key":"4388_CR42","first-page":"12080","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"W R Huang","year":"2020","unstructured":"Huang W R, Geiping J, Fowl L, et al. MetaPoison: practical general-purpose clean-label data poisoning. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2020. 12080\u201312091"},{"key":"4388_CR43","first-page":"182","volume-title":"Proceedings of European Conference on Computer Vision (ECCV)","author":"Y Liu","year":"2020","unstructured":"Liu Y, Ma X, Bailey J, et al. Reflection backdoor: a natural backdoor attack on deep neural networks. In: Proceedings of European Conference on Computer Vision (ECCV), 2020. 182\u2013199"},{"key":"4388_CR44","first-page":"1487","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"G Severi","year":"2021","unstructured":"Severi G, Meyer J, Coull S E, et al. Explanation-guided backdoor poisoning attacks against malware classifiers. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1487\u20131504"},{"key":"4388_CR45","first-page":"771","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Zeng","year":"2023","unstructured":"Zeng Y, Pan M, Just H A, et al. Narcissus: a practical clean-label backdoor attack with limited information. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 771\u2013785"},{"key":"4388_CR46","first-page":"6867","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Ge","year":"2024","unstructured":"Ge Y, Wang Q, Huang H, et al. Hijacking attacks against neural network by analyzing training data. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 6867\u20136884"},{"key":"4388_CR47","first-page":"807","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Shan","year":"2024","unstructured":"Shan S, Ding W, Passananti J, et al. Nightshade: prompt-specific poisoning attacks on text-to-image generative models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 807\u2013825"},{"key":"4388_CR48","first-page":"3629","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"H Liu","year":"2022","unstructured":"Liu H, Jia J, Gong N Z. Poisonedencoder: poisoning the unlabeled pre-training data in contrastive learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 3629\u20133645"},{"key":"4388_CR49","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"C Wei","year":"2024","unstructured":"Wei C, Meng W, Zhang Z, et al. LMSanitator: defending prompt-tuning against task-agnostic backdoors. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR50","first-page":"2029","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"G Tao","year":"2024","unstructured":"Tao G, Wang Z, Feng S, et al. Distribution preserving backdoor attack in self-supervised learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2029\u20132047"},{"key":"4388_CR51","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"A Salem","year":"2022","unstructured":"Salem A, Backes M, Zhang Y. Get a model! Model hijacking attack against machine learning models. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR52","first-page":"2223","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"W M Si","year":"2023","unstructured":"Si W M, Backes M, Zhang Y, et al. Two-in-one: a model hijacking attack against text generation models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 2223\u20132240"},{"key":"4388_CR53","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"G Amit","year":"2024","unstructured":"Amit G, Levy M, Mirsky Y. Transpose attack: stealing datasets with bidirectional training. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR54","first-page":"1605","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Fang","year":"2020","unstructured":"Fang M, Cao X, Jia J, et al. Local model poisoning attacks to Byzantine-robust federated learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1605\u20131622"},{"key":"4388_CR55","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"V Shejwalkar","year":"2021","unstructured":"Shejwalkar V, Houmansadr A. Manipulating the Byzantine: optimizing model poisoning attacks and defenses for federated learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2021"},{"key":"4388_CR56","first-page":"3396","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"X Cao","year":"2022","unstructured":"Cao X, Gong N Z. MPAF: model poisoning attacks to federated learning based on fake clients. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2022. 3396\u20133404"},{"key":"4388_CR57","first-page":"1354","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"V Shejwalkar","year":"2022","unstructured":"Shejwalkar V, Houmansadr A, Kairouz P, et al. Back to the drawing board: a critical evaluation of poisoning attacks on production federated learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1354\u20131371"},{"key":"4388_CR58","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"T Krau\u00df","year":"2024","unstructured":"Krau\u00df T, K\u00f6nig J, Dmitrienko A, et al. Automatic adversarial adaption for stealthy poisoning attacks in federated learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR59","unstructured":"Caldas S, Duddu S M K, Wu P, et al. Leaf: a benchmark for federated settings. 2018. ArXiv:1812.01097"},{"key":"4388_CR60","first-page":"2013","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"M Naseri","year":"2024","unstructured":"Naseri M, Han Y, de Cristofaro E. BadVFL: backdoor attacks in vertical federated learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2013\u20132028"},{"key":"4388_CR61","first-page":"14774","volume-title":"Proceedings of Advances in Neural Information Processing Systems","author":"L Zhu","year":"2019","unstructured":"Zhu L, Liu Z, Han S. Deep leakage from gradients. In: Proceedings of Advances in Neural Information Processing Systems, 2019. 14774\u201314784"},{"key":"4388_CR62","first-page":"6381","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"K Yue","year":"2023","unstructured":"Yue K, Jin R, Wong C W, et al. Gradient obfuscation gives a false sense of security in federated learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 6381\u20136398"},{"key":"4388_CR63","doi-asserted-by":"publisher","first-page":"818","DOI":"10.1109\/TIFS.2022.3227761","volume":"18","author":"H Yang","year":"2022","unstructured":"Yang H, Ge M, Xiang K, et al. Using highly compressed gradients in federated learning for data reconstruction attacks. IEEE Trans Inform Forensic Secur, 2022, 18: 818\u2013830","journal-title":"IEEE Trans Inform Forensic Secur"},{"key":"4388_CR64","first-page":"603","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"B Hitaj","year":"2017","unstructured":"Hitaj B, Ateniese G, Perez-Cruz F. Deep models under the GAN: information leakage from collaborative deep learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017. 603\u2013618"},{"key":"4388_CR65","first-page":"2512","volume-title":"Proceedings of IEEE Conference on Computer Communications (INFOCOM)","author":"Z Wang","year":"2019","unstructured":"Wang Z, Song M, Zhang Z, et al. Beyond inferring class representatives: user-level privacy leakage from federated learning. In: Proceedings of IEEE Conference on Computer Communications (INFOCOM), 2019. 2512\u20132520"},{"key":"4388_CR66","first-page":"29898","volume":"34","author":"J Jeon","year":"2021","unstructured":"Jeon J, Lee K, Oh S, et al. Gradient inversion with generative image prior. In: Proceedings of Advances in Neural Information Processing Systems, 2021. 34: 29898\u201329908","journal-title":"Proceedings of Advances in Neural Information Processing Systems"},{"key":"4388_CR67","first-page":"4944","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"H Fang","year":"2023","unstructured":"Fang H, Chen B, Wang X, et al. GIFD: a generative gradient inversion method with feature domain optimization. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2023. 4944\u20134953"},{"key":"4388_CR68","first-page":"2429","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"D Pasquini","year":"2022","unstructured":"Pasquini D, Francati D, Ateniese G. Eluding secure aggregation in federated learning via model inconsistency. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2429\u20132443"},{"key":"4388_CR69","first-page":"1287","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"J C Zhao","year":"2024","unstructured":"Zhao J C, Sharma A, Elkordy A R, et al. LOKI: large-scale data reconstruction attack against federated learning through model manipulation. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 1287\u20131305"},{"key":"4388_CR70","first-page":"2113","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"D Pasquini","year":"2021","unstructured":"Pasquini D, Ateniese G, Bernaschi M. Unleashing the tiger: inference attacks on split learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 2113\u20132129"},{"key":"4388_CR71","first-page":"5271","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"X Gao","year":"2023","unstructured":"Gao X, Zhang L. PCAT: functionality and data stealing from split learning by pseudo-client attack. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 5271\u20135288"},{"key":"4388_CR72","first-page":"12130","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"X Xu","year":"2024","unstructured":"Xu X, Yang M, Yi W, et al. A stealthy wrongdoer: feature-oriented reconstruction attack against split learning. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2024. 12130\u201312139"},{"key":"4388_CR73","first-page":"2743","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Bai","year":"2023","unstructured":"Bai Y, Chen Y, Zhang H, et al. VILLAIN: backdoor attacks against vertical split learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 2743\u20132760"},{"key":"4388_CR74","first-page":"16531","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"F Yu","year":"2024","unstructured":"Yu F, Zeng B, Zhao K, et al. Chronic poisoning: backdoor attack against split learning. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2024. 16531\u201316538"},{"key":"4388_CR75","first-page":"1291","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"A Salem","year":"2020","unstructured":"Salem A, Bhattacharya A, Backes M, et al. Updates-leak: data set inference and reconstruction attacks in online learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1291\u20131308"},{"key":"4388_CR76","first-page":"363","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"S Zanella-B\u00e9guelin","year":"2020","unstructured":"Zanella-B\u00e9guelin S, Wutschitz L, Tople S, et al. Analyzing information leakage of updates to natural language models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 363\u2013375"},{"key":"4388_CR77","first-page":"3257","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Hu","year":"2024","unstructured":"Hu H, Wang S, Dong T, et al. Learn what you want to unlearn: unlearning inversion attacks against machine unlearning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 3257\u20133275"},{"key":"4388_CR78","first-page":"377","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"C Song","year":"2020","unstructured":"Song C, Raghunathan A. Information leakage in embedding models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 377\u2013390"},{"key":"4388_CR79","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"S An","year":"2022","unstructured":"An S, Tao G, Xu Q, et al. MIRROR: model inversion for deep learning network with high fidelity. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR80","first-page":"1138","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"B Balle","year":"2022","unstructured":"Balle B, Cherubin G, Hayes J. Reconstructing training data with informed adversaries. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1138\u20131156"},{"key":"4388_CR81","first-page":"1314","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Pan","year":"2020","unstructured":"Pan X, Zhang M, Ji S, et al. Privacy risks of general-purpose language models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2020. 1314\u20131331"},{"key":"4388_CR82","first-page":"2669","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"X He","year":"2021","unstructured":"He X, Jia J, Backes M, et al. Stealing links from graph neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2669\u20132686"},{"key":"4388_CR83","first-page":"2005","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"F Wu","year":"2022","unstructured":"Wu F, Long Y, Zhang C, et al. LINKTELLER: recovering private edges from graph neural networks via influence analysis. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 2005\u20132024"},{"key":"4388_CR84","first-page":"2871","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"X Wang","year":"2022","unstructured":"Wang X, Wang W H. Group property inference attacks against graph neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2871\u20132884"},{"key":"4388_CR85","first-page":"1153","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"L Meng","year":"2023","unstructured":"Meng L, Bai Y, Chen Y, et al. Devil in disguise: breaching graph neural networks privacy through infiltration. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 1153\u20131167"},{"key":"4388_CR86","first-page":"4543","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Zhang","year":"2022","unstructured":"Zhang Z, Chen M, Backes M, et al. Inference attacks against graph neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 4543\u20134560"},{"key":"4388_CR87","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"J Zhou","year":"2022","unstructured":"Zhou J, Chen Y, Shen C, et al. Property inference attacks against GANs. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR88","first-page":"346","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"N Lukas","year":"2023","unstructured":"Lukas N, Salem A, Sim R, et al. Analyzing leakage of personally identifiable information in language models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 346\u2013363"},{"key":"4388_CR89","first-page":"4579","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"S Mehnaz","year":"2022","unstructured":"Mehnaz S, Dibbo S V, Kabir E, et al. Are your sensitive attributes private? Novel model inversion attribute inference attacks on classification models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 4579\u20134596"},{"key":"4388_CR90","first-page":"2096","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"A Hu","year":"2021","unstructured":"Hu A, Xie R, Lu Z, et al. TableGAN-MCA: evaluating membership collisions of GAN-synthesized tabular data releasing. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 2096\u20132112"},{"key":"4388_CR91","first-page":"4561","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"X Yuan","year":"2022","unstructured":"Yuan X, Zhang L. Membership inference attacks and defenses in neural network pruning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 4561\u20134578"},{"key":"4388_CR92","first-page":"4791","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Liu","year":"2024","unstructured":"Liu H, Wu Y, Yu Z, et al. Please tell me more: privacy impact of explainability through the lens of membership inference attack. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 4791\u20134809"},{"key":"4388_CR93","first-page":"4525","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Liu","year":"2022","unstructured":"Liu Y, Wen R, He X, et al. ML-doctor: holistic risk assessment of inference attacks against machine learning models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 4525\u20134542"},{"key":"4388_CR94","first-page":"2615","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"L Song","year":"2021","unstructured":"Song L, Mittal P. Systematic evaluation of privacy risks of machine learning models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2615\u20132632"},{"key":"4388_CR95","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"G Chen","year":"2024","unstructured":"Chen G, Zhang Y, Song F. SLMIA-SR: speaker-level membership inference attacks against speaker recognition systems. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR96","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Y Pang","year":"2025","unstructured":"Pang Y, Wang T. Black-box membership inference attacks against fine-tuned diffusion models. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR97","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"R Wen","year":"2025","unstructured":"Wen R, Backes M, Zhang Y. Understanding data importance in machine learning attacks: does valuable data pose greater harm? In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR98","first-page":"2423","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"L Wang","year":"2024","unstructured":"Wang L, Wang J, Wan J, et al. Property existence inference against generative models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 2423\u20132440"},{"key":"4388_CR99","first-page":"343","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"D Chen","year":"2020","unstructured":"Chen D, Yu N, Zhang Y, et al. GAN-leaks: a taxonomy of membership inference attacks against generative models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 343\u2013362"},{"key":"4388_CR100","first-page":"5841","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Wu","year":"2024","unstructured":"Wu Y, Wen R, Backes M, et al. Quantifying privacy risks of prompts in visual prompt learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 5841\u20135858"},{"key":"4388_CR101","first-page":"3093","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Ye","year":"2022","unstructured":"Ye J, Maddi A, Murakonda S K, et al. Enhanced membership inference attacks against machine learning models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 3093\u20133106"},{"key":"4388_CR102","first-page":"2779","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"F Tram\u00e8r","year":"2022","unstructured":"Tram\u00e8r F, Shokri R, Joaquin A S, et al. Truth serum: poisoning machine learning models to reveal their secrets. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2779\u20132792"},{"key":"4388_CR103","first-page":"131","volume-title":"Proceedings of IEEE\/ACM International Conference on Computer-Aided Design (ICCAD)","author":"Y Liu","year":"2017","unstructured":"Liu Y, Wei L, Luo B, et al. Fault injection attack on deep neural network. In: Proceedings of IEEE\/ACM International Conference on Computer-Aided Design (ICCAD), 2017. 131\u2013138"},{"key":"4388_CR104","first-page":"497","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"S Hong","year":"2019","unstructured":"Hong S, Frigo P, Kaya Y, et al. Terminal brain damage: exposing the graceless degradation in deep neural networks under hardware fault attacks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2019. 497\u2013514"},{"key":"4388_CR105","first-page":"1211","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"A S Rakin","year":"2019","unstructured":"Rakin A S, He Z, Fan D. Bit-flip attack: crushing neural network with progressive bit search. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2019. 1211\u20131220"},{"key":"4388_CR106","first-page":"770","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"K He","year":"2016","unstructured":"He K, Zhang X, Ren S, et al. Deep residual learning for image recognition. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016. 770\u2013778"},{"key":"4388_CR107","first-page":"13195","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"A S Rakin","year":"2020","unstructured":"Rakin A S, He Z, Fan D. TBT: targeted neural network attack with bit Trojan. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2020. 13195\u201313204"},{"key":"4388_CR108","first-page":"1331","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Wang","year":"2024","unstructured":"Wang Z, Tang D, Wang X, et al. Tossing in the dark: practical bit-flipping on gray-box deep neural networks for runtime Trojan injection. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 1331\u20131348"},{"key":"4388_CR109","first-page":"2204","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Breier","year":"2018","unstructured":"Breier J, Hou X, Jap D, et al. Practical fault attack on deep neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018. 2204\u20132206"},{"key":"4388_CR110","first-page":"1463","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"F Yao","year":"2020","unstructured":"Yao F, Rakin A S, Fan D. DeepHammer: depleting the intelligence of deep neural networks through targeted chain of bit flips. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1463\u20131480"},{"key":"4388_CR111","first-page":"2067","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"K Cai","year":"2024","unstructured":"Cai K, Chowdhuryy M H I, Zhang Z, et al. DeepVenom: persistent DNN backdoors exploiting transient weight perturbations in memories. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2067\u20132085"},{"key":"4388_CR112","first-page":"7718","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"H Chen","year":"2021","unstructured":"Chen H, Fu C, Zhao J, et al. ProFlip: targeted Trojan attack with progressive bit flips. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2021. 7718\u20137727"},{"key":"4388_CR113","first-page":"109","volume-title":"Proceedings of Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN)","author":"M C Tol","year":"2023","unstructured":"Tol M C, Islam S, Adiletta A J, et al. Don\u2019t knock! Rowhammer at the backdoor of DNN models. In: Proceedings of Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), 2023. 109\u2013122"},{"key":"4388_CR114","first-page":"1505","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"E Bagdasaryan","year":"2021","unstructured":"Bagdasaryan E, Shmatikov V. Blind backdoors in deep learning models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1505\u20131521"},{"key":"4388_CR115","first-page":"344","volume-title":"Proceedings of IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)","author":"E Clifford","year":"2024","unstructured":"Clifford E, Shumailov I, Zhao Y, et al. ImpNet: imperceptible and blackbox-undetectable backdoors in compiled neural networks. In: Proceedings of IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2024. 344\u2013357"},{"key":"4388_CR116","first-page":"1315","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"S Li","year":"2024","unstructured":"Li S, Wang X, Xue M, et al. Yes, one-bit-flip matters! Universal DNN model inference depletion with runtime code fault injection. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 1315\u20131330"},{"key":"4388_CR117","doi-asserted-by":"publisher","first-page":"2278","DOI":"10.1109\/5.726791","volume":"86","author":"Y Lecun","year":"1998","unstructured":"Lecun Y, Bottou L, Bengio Y, et al. Gradient-based learning applied to document recognition. Proc IEEE, 1998, 86: 2278\u20132324","journal-title":"Proc IEEE"},{"key":"4388_CR118","unstructured":"Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition. 2014. ArXiv:1409.1556"},{"key":"4388_CR119","doi-asserted-by":"publisher","first-page":"323","DOI":"10.1016\/j.neunet.2012.02.016","volume":"32","author":"J Stallkamp","year":"2012","unstructured":"Stallkamp J, Schlipsing M, Salmen J, et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition. Neural Netws, 2012, 32: 323\u2013332","journal-title":"Neural Netws"},{"key":"4388_CR120","first-page":"3557","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Q Fu","year":"2022","unstructured":"Fu Q, Dong Y, Su H, et al. AutoDA: automated decision-based iterative adversarial attacks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 3557\u20133574"},{"key":"4388_CR121","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"V Q Vo","year":"2022","unstructured":"Vo V Q, Abbasnejad E, Ranasinghe D C. Ramboattack: a robust and query efficient deep neural network decision exploit. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR122","first-page":"2991","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Shen","year":"2024","unstructured":"Shen M, Li C, Li Q, et al. Transferability of white-box perturbations: query-efficient adversarial attacks against commercial DNN services. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 2991\u20133008"},{"key":"4388_CR123","first-page":"1327","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"F Suya","year":"2020","unstructured":"Suya F, Chi J, Evans D, et al. Hybrid batch attacks: finding black-box adversarial examples with limited queries. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1327\u20131344"},{"key":"4388_CR124","first-page":"3639","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Levi","year":"2024","unstructured":"Levi M, Kontorovich A. Splitting the difference on adversarial training. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 3639\u20133656"},{"key":"4388_CR125","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Xia","year":"2024","unstructured":"Xia H, Zhang R, Kang Z, et al. Enhance stealthiness and transferability of adversarial attacks with class activation mapping ensemble attack. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR126","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"C He","year":"2024","unstructured":"He C, Ma X, Zhu B B, et al. DorPatch: distributed and occlusion-robust adversarial patch to evade certifiable defenses. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR127","first-page":"74","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Meng","year":"2024","unstructured":"Meng X, Wang L, Guo S, et al. AVA: inconspicuous attribute variation-based adversarial attack bypassing deepfake detection. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 74\u201390"},{"key":"4388_CR128","first-page":"91","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S M Abdullah","year":"2024","unstructured":"Abdullah S M, Cheruvu A, Kanchi S, et al. An analysis of recent advances in deepfake image detection in an evolving threat landscape. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 91\u2013109"},{"key":"4388_CR129","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"J Chang","year":"2023","unstructured":"Chang J, Javaheripi M, Hidano S, et al. RoVISQ: reduction of video service quality via adversarial attacks on deep learning-based video compression. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR130","first-page":"1631","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Cao","year":"2023","unstructured":"Cao Y, Xiao X, Sun R, et al. StyleFool: fooling video classification systems via style transfer. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1631\u20131648"},{"key":"4388_CR131","first-page":"1390","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Xie","year":"2022","unstructured":"Xie S, Wang H, Kong Y, et al. Universal 3-dimensional perturbations for black-box attacks on video recognition systems. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1390\u20131407"},{"key":"4388_CR132","first-page":"1384","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Dyrmishi","year":"2023","unstructured":"Dyrmishi S, Ghamizi S, Simonetto T, et al. On the empirical effectiveness of unrealistic adversarial hardening against realistic adversarial attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1384\u20131400"},{"key":"4388_CR133","first-page":"2025","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Liu","year":"2022","unstructured":"Liu J, Kang Y, Tang D, et al. Order-disorder: imitation adversarial attacks for black-box neural ranking models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2025\u20132039"},{"key":"4388_CR134","first-page":"1987","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"N Boucher","year":"2022","unstructured":"Boucher N, Shumailov I, Anderson R, et al. Bad characters: imperceptible NLP attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1987\u20132004"},{"key":"4388_CR135","first-page":"495","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"R Sheatsley","year":"2021","unstructured":"Sheatsley R, Hoak B, Pauley E, et al. On the robustness of domain constraints. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 495\u2013515"},{"key":"4388_CR136","first-page":"108","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Mu","year":"2021","unstructured":"Mu J, Wang B, Li Q, et al. A hard label black-box adversarial attack against graph neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 108\u2013125"},{"key":"4388_CR137","first-page":"126","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"A Bahramali","year":"2021","unstructured":"Bahramali A, Nasr M, Houmansadr A, et al. Robust adversarial attacks against DNN-based wireless communication systems. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 126\u2013140"},{"key":"4388_CR138","first-page":"1924","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"X Wang","year":"2021","unstructured":"Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2021. 1924\u20131933"},{"key":"4388_CR139","unstructured":"Yang Y, Lin C, Ji X, et al. Towards deep learning models resistant to transfer-based adversarial attacks via data-centric robust learning. 2023. ArXiv:2310.09891"},{"key":"4388_CR140","first-page":"2065","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"C Xiang","year":"2022","unstructured":"Xiang C, Mahloujifar S, Mittal P. PatchCleanser: certifiably robust defense against adversarial patches for any image classifier. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 2065\u20132082"},{"key":"4388_CR141","first-page":"446","volume-title":"Proceedings of International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications (VISIGRAPP)","author":"J Ricker","year":"2024","unstructured":"Ricker J, Damm S, Holz T, et al. Towards the detection of diffusion model deepfakes. In: Proceedings of International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications (VISIGRAPP), 2024. 446\u2013457"},{"key":"4388_CR142","unstructured":"Soomro K, Zamir A R, Shah M. UCF101: a dataset of 101 human actions classes from videos in the wild. 2012. ArXiv:1212.0402"},{"key":"4388_CR143","first-page":"2556","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"H Kuehne","year":"2011","unstructured":"Kuehne H, Jhuang H, Garrote E, et al. HMDB: a large video database for human motion recognition. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2011. 2556\u20132563"},{"key":"4388_CR144","doi-asserted-by":"crossref","unstructured":"Craswell N, Mitra B, Yilmaz E, et al. Overview of the TREC 2019 deep learning track. 2020. ArXiv:2003.07820","DOI":"10.6028\/NIST.SP.1266.deep-overview"},{"key":"4388_CR145","first-page":"311","volume-title":"Proceedings of Annual Meeting of the Association for Computational Linguistics (ACL)","author":"K Papineni","year":"2002","unstructured":"Papineni K, Roukos S, Ward T, et al. BLEU: a method for automatic evaluation of machine translation. In: Proceedings of Annual Meeting of the Association for Computational Linguistics (ACL), 2002. 311\u2013318"},{"key":"4388_CR146","first-page":"2539","volume":"12","author":"N Shervashidze","year":"2011","unstructured":"Shervashidze N, Schweitzer P, van Leeuwen E J, et al. Weisfeiler-Lehman graph kernels. J Mach Learn Res, 2011, 12: 2539\u20132561","journal-title":"J Mach Learn Res"},{"key":"4388_CR147","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"J Dong","year":"2025","unstructured":"Dong J, Zhang Z, Zhang Q, et al. An engorgio prompt makes large language model babble on. In: Proceedings of International Conference on Learning Representations (ICLR), 2025"},{"key":"4388_CR148","first-page":"3945","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"G Zhang","year":"2024","unstructured":"Zhang G, Ma X, Zhang H, et al. LaserAdv: laser adversarial attacks on speech recognition systems. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 3945\u20133961"},{"key":"4388_CR149","first-page":"235","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"E Wenger","year":"2021","unstructured":"Wenger E, Bronckers M, Cianfarani C, et al. \u201cHello, it\u2019s me\u201d: deep learning-based speech synthesis attacks in the real world. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 235\u2013251"},{"key":"4388_CR150","first-page":"905","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"R Duan","year":"2022","unstructured":"Duan R, Qu Z, Zhao S, et al. Perception-aware attack: creating adversarial music via reverse-engineering human perception. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 905\u2013919"},{"key":"4388_CR151","first-page":"1353","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"H Guo","year":"2022","unstructured":"Guo H, Wang Y, Ivanov N, et al. SPECPATCH: human-in-the-loop adversarial audio spectrogram patch attack on speech recognition. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 1353\u20131366"},{"key":"4388_CR152","first-page":"2667","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Chen","year":"2020","unstructured":"Chen Y, Yuan X, Zhang J, et al. Devil\u2019s Whisper: a general approach for physical adversarial attacks against commercial black-box speech recognition devices. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 2667\u20132684"},{"key":"4388_CR153","first-page":"86","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"B Zheng","year":"2021","unstructured":"Zheng B, Jiang P, Wang Q, et al. Black-box adversarial attacks on commercial speech platforms with minimal information. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 86\u2013107"},{"key":"4388_CR154","first-page":"694","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"G Chen","year":"2021","unstructured":"Chen G, Chen S, Fan L, et al. Who is real Bob? Adversarial attacks on speaker recognition systems. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 694\u2013711"},{"key":"4388_CR155","first-page":"2973","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Ge","year":"2024","unstructured":"Ge Y, Chen P, Wang Q, et al. More simplicity for trainers, more opportunity for attackers: black-box attacks on speaker recognition systems by inferring feature extractor. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 2973\u20132990"},{"key":"4388_CR156","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"R Duan","year":"2024","unstructured":"Duan R, Qu Z, Ding L, et al. Parrot-trained adversarial examples: pushing the practicality of black-box audio attacks against speaker recognition models. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR157","doi-asserted-by":"crossref","unstructured":"Fang Z, Wang T, Zhao L, et al. Zero-query adversarial attack on black-box automatic speech recognition systems. 2024. ArXiv:2406.19311","DOI":"10.1145\/3658644.3670309"},{"key":"4388_CR158","first-page":"712","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Abdullah","year":"2021","unstructured":"Abdullah H, Rahman M S, Garcia W, et al. Hear \u201cno evil\u201d, see \u201cKenansville\u201d*: efficient and transferable black-box attacks on speech recognition and voice identification systems. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 712\u2013729"},{"key":"4388_CR159","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"X Li","year":"2024","unstructured":"Li X, Yan C, Lu X, et al. Inaudible adversarial perturbation: manipulating the recognition of user speech in real time. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR160","first-page":"1667","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"W Zong","year":"2023","unstructured":"Zong W, Chow Y, Susilo W, et al. TrojanModel: a practical Trojan attack against automatic speech recognition systems. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1667\u20131683"},{"key":"4388_CR161","first-page":"1861","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Chen","year":"2021","unstructured":"Chen Y, Bai Y, Mitev R, et al. FakeWake: understanding and mitigating fake wake-up words of voice assistants. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 1861\u20131883"},{"key":"4388_CR162","first-page":"3799","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Yu","year":"2023","unstructured":"Yu Z, Chang Y, Zhang N, et al. SMACK: semantically meaningful adversarial audio attack. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 3799\u20133816"},{"key":"4388_CR163","first-page":"1930","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"W Wang","year":"2021","unstructured":"Wang W, Yao Y, Liu X, et al. I can see the light: attacks on autonomous vehicles using invisible lights. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 1930\u20131944"},{"key":"4388_CR164","first-page":"1957","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"C Yan","year":"2022","unstructured":"Yan C, Xu Z, Yin Z, et al. Rolling colors: adversarial laser exploits against traffic light recognition. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 1957\u20131974"},{"key":"4388_CR165","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"T Sato","year":"2024","unstructured":"Sato T, Bhupathiraju S H V, Clifford M, et al. Invisible reflections: leveraging infrared laser reflections to target traffic sign perception. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR166","first-page":"160","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Ji","year":"2021","unstructured":"Ji X, Cheng Y, Zhang Y, et al. Poltergeist: acoustic adversarial machine learning against cameras and computer vision. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 160\u2013175"},{"key":"4388_CR167","first-page":"1945","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Zhu","year":"2021","unstructured":"Zhu Y, Miao C, Zheng T, et al. Can we use arbitrary objects to attack lidar perception in autonomous driving? In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 1945\u20131960"},{"key":"4388_CR168","first-page":"2993","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Cao","year":"2023","unstructured":"Cao Y, Bhupathiraju S H, Naghavi P, et al. You can\u2019t see me: physical removal attacks on lidar-based autonomous vehicles driving frameworks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 2993\u20133010"},{"key":"4388_CR169","first-page":"1822","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Z Jin","year":"2023","unstructured":"Jin Z, Ji X, Cheng Y, et al. PLA-LiDAR: physical laser attacks against lidar-based 3D object detection in autonomous vehicle. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1822\u20131839"},{"key":"4388_CR170","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"T Sato","year":"2024","unstructured":"Sato T, Hayakawa Y, Suzuki R, et al. Lidar spoofing meets the new-gen: capability improvements, broken assumptions, and new attack strategies. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR171","first-page":"1903","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"R S Hallyburton","year":"2022","unstructured":"Hallyburton R S, Liu Y, Cao Y, et al. Security analysis of camera-lidar fusion against black-box attacks on autonomous vehicles. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 1903\u20131920"},{"key":"4388_CR172","first-page":"6309","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Q Zhang","year":"2024","unstructured":"Zhang Q, Jin S, Zhu R, et al. On data fabrication in collaborative vehicular perception: attacks and countermeasures. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 6309\u20136326"},{"key":"4388_CR173","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"D Hunt","year":"2024","unstructured":"Hunt D, Angell K, Qi Z, et al. MadRadar: a black-box physical layer attack framework on mmwave automotive FMCW radars. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR174","first-page":"2309","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"R Muller","year":"2022","unstructured":"Muller R, Man Y, Celik Z B, et al. Physical hijacking attacks against object trackers. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2309\u20132322"},{"key":"4388_CR175","first-page":"7339","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"S Zhu","year":"2024","unstructured":"Zhu S, Zhao Y, Chen K, et al. AE-Morpher: improve physical robustness of adversarial objects against lidar-based detectors via object reconstruction. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 7339\u20137356"},{"key":"4388_CR176","first-page":"176","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Cao","year":"2021","unstructured":"Cao Y, Wang N, Xiao C, et al. Invisible for both camera and lidar: security of multi-sensor fusion based perception in autonomous driving under physical-world attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 176\u2013194"},{"key":"4388_CR177","first-page":"1865","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"G Lovisotto","year":"2021","unstructured":"Lovisotto G, Turner H, Sluganovic I, et al. SLAP: improving physical adversarial examples with short-lived adversarial perturbations. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1865\u20131882"},{"key":"4388_CR178","first-page":"4389","volume-title":"Proceedings of IEEE International Conference on Computer Vision (ICCV)","author":"N Wang","year":"2023","unstructured":"Wang N, Luo Y, Sato T, et al. Does physical adversarial example really matter to autonomous driving? Towards system-level effect of adversarial object evasion attack. In: Proceedings of IEEE International Conference on Computer Vision (ICCV), 2023. 4389\u20134400"},{"key":"4388_CR179","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"W Jia","year":"2022","unstructured":"Jia W, Lu Z, Zhang H, et al. Fooling the eyes of autonomous vehicles: robust physical adversarial examples against traffic sign recognition systems. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR180","first-page":"661","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"W Zhu","year":"2023","unstructured":"Zhu W, Ji X, Cheng Y, et al. TPatch: a triggered physical adversarial patch. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 661\u2013678"},{"key":"4388_CR181","first-page":"5233","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"T Nayan","year":"2024","unstructured":"Nayan T, Guo Q, Alduniawi M, et al. SoK: all you need to know about on-device ML model extraction\u2014the gap between research and practice. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 5233\u20135250"},{"key":"4388_CR182","first-page":"2115","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Liu","year":"2022","unstructured":"Liu Y, Jia J, Liu H, et al. Stolenencoder: stealing pre-trained encoders in self-supervised learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2115\u20132128"},{"key":"4388_CR183","first-page":"1175","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Shen","year":"2022","unstructured":"Shen Y, He X, Han Y, et al. Model stealing attacks against inductive graph neural networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1175\u20131192"},{"key":"4388_CR184","first-page":"5251","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Zhuang","year":"2024","unstructured":"Zhuang Y, Shi C, Zhang M, et al. Unveiling the secrets without data: can graph neural networks be exploited through data-free model extraction attacks? In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 5251\u20135268"},{"key":"4388_CR185","first-page":"1309","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"V Chandrasekaran","year":"2020","unstructured":"Chandrasekaran V, Chaudhuri K, Giacomelli I, et al. Exploring connections between active learning and model extraction. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1309\u20131326"},{"key":"4388_CR186","first-page":"4954","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"T Orekondy","year":"2019","unstructured":"Orekondy T, Schiele B, Fritz M. Knockoff nets: stealing functionality of black-box models. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2019. 4954\u20134963"},{"key":"4388_CR187","first-page":"1","volume-title":"Proceedings of the Workshop on Artificial Intelligence and Security","author":"M B Dor","year":"2024","unstructured":"Dor M B, Mirsky Y. Efficient model extraction via boundary sampling. In: Proceedings of the Workshop on Artificial Intelligence and Security, 2024. 1\u201311"},{"key":"4388_CR188","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Yu","year":"2020","unstructured":"Yu H, Yang K, Zhang T, et al. CloudLeak: large-scale deep learning models stealing through adversarial examples. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2020"},{"key":"4388_CR189","first-page":"25","volume-title":"Proceedings of Advances in Neural Information Processing Systems","author":"A Krizhevsky","year":"2012","unstructured":"Krizhevsky A, Sutskever I, Hinton G E. Imagenet classification with deep convolutional neural networks. In: Proceedings of Advances in Neural Information Processing Systems, 2012. 25"},{"key":"4388_CR190","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"K Krishna","year":"2020","unstructured":"Krishna K, Tomar G S, Parikh A P, et al. Thieves on Sesame Street! Model extraction of Bert-based APIs. In: Proceedings of International Conference on Learning Representations (ICLR), 2020"},{"key":"4388_CR191","first-page":"382","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Chen","year":"2023","unstructured":"Chen Y, Guan R, Gong X, et al. D-DAE: defense-penetrating model extraction attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 382\u2013399"},{"key":"4388_CR192","first-page":"1955","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Sun","year":"2021","unstructured":"Sun Z, Sun R, Lu L, et al. Mind your weight(s): a large-scale study on insufficient machine learning model protection in mobile apps. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1955\u20131972"},{"key":"4388_CR193","first-page":"601","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"F Tram\u00e8r","year":"2016","unstructured":"Tram\u00e8r F, Zhang F, Juels A, et al. Stealing machine learning models via prediction APIs. In: Proceedings of USENIX Security Symposium (USENIX Security), 2016. 601\u2013618"},{"key":"4388_CR194","first-page":"36","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"B Wang","year":"2018","unstructured":"Wang B, Gong N Z. Stealing hyperparameters in machine learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2018. 36\u201352"},{"key":"4388_CR195","doi-asserted-by":"publisher","first-page":"1527","DOI":"10.1109\/TR.2021.3105697","volume":"71","author":"J Breier","year":"2022","unstructured":"Breier J, Jap D, Hou X, et al. SNIFF: reverse engineering of neural networks with fault attacks. IEEE Trans Rel, 2022, 71: 1527\u20131539","journal-title":"IEEE Trans Rel"},{"key":"4388_CR196","first-page":"2003","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Yan","year":"2020","unstructured":"Yan M, Fletcher C W, Torrellas J. Cache telepathy: leveraging shared resource attacks to learn DNN architectures. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 2003\u20132020"},{"key":"4388_CR197","first-page":"719","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Yarom","year":"2014","unstructured":"Yarom Y, Falkner K. FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of USENIX Security Symposium (USENIX Security), 2014. 719\u2013732"},{"key":"4388_CR198","first-page":"605","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"F Liu","year":"2015","unstructured":"Liu F, Yarom Y, Ge Q, et al. Last-level cache side-channel attacks are practical. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2015. 605\u2013622"},{"key":"4388_CR199","first-page":"1","volume-title":"Proceedings of Topics in Cryptology - CT-RSA 2006","author":"D A Osvik","year":"2006","unstructured":"Osvik D A, Shamir A, Tromer E. Cache attacks and countermeasures: the case of AES. In: Proceedings of Topics in Cryptology - CT-RSA 2006, 2006. 1\u201320"},{"key":"4388_CR200","first-page":"1157","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"A S Rakin","year":"2022","unstructured":"Rakin A S, Chowdhuryy M H I, Yao F, et al. DeepSteal: advanced model extractions leveraging efficient weight stealing in memories. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1157\u20131174"},{"key":"4388_CR201","first-page":"515","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"L Batina","year":"2019","unstructured":"Batina L, Bhasin S, Jap D, et al. CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In: Proceedings of USENIX Security Symposium (USENIX Security), 2019. 515\u2013532"},{"key":"4388_CR202","first-page":"209","volume-title":"Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","author":"H Yu","year":"2020","unstructured":"Yu H, Ma H, Yang K, et al. DeepEM: deep neural networks model recovery through EM side-channel information leakage. In: Proceedings of IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2020. 209\u2013218"},{"key":"4388_CR203","first-page":"256","volume-title":"Proceedings of Smart Card Research and Advanced Applications (CARDIS)","author":"R Joud","year":"2023","unstructured":"Joud R, Mo\u00ebllic P, Ponti\u00e9 S, et al. Like an open book? Read neural network architecture with simple power analysis on 32-bit microcontrollers. In: Proceedings of Smart Card Research and Advanced Applications (CARDIS), 2023. 256\u2013276"},{"key":"4388_CR204","first-page":"1973","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Zhu","year":"2021","unstructured":"Zhu Y, Cheng Y, Zhou H, et al. Hermes attack: steal DNN models with lossless inference accuracy. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1973\u20131988"},{"key":"4388_CR205","unstructured":"Hu X, Liang L, Deng L, et al. Neural network model extraction attacks in edge devices by hearing architectural hints. 2019. ArXiv:1903.03916"},{"key":"4388_CR206","first-page":"3311","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Gao","year":"2024","unstructured":"Gao Y, Qiu H, Zhang Z, et al. DeepTheft: stealing DNN model architectures through power side channel. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 3311\u20133326"},{"key":"4388_CR207","first-page":"2717","volume":"67","author":"Y Xiang","year":"2020","unstructured":"Xiang Y, Chen Z, Chen Z, et al. Open DNN box by power side-channel attack. IEEE Trans Circuits Syst II, 2020, 67: 2717\u20132721","journal-title":"IEEE Trans Circuits Syst II"},{"key":"4388_CR208","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1145\/3274694.3274696","volume-title":"Proceedings of Annual Computer Security Applications Conference (ACSAC)","author":"L Wei","year":"2018","unstructured":"Wei L, Luo B, Li Y, et al. I know what you see: power side-channel attack on convolutional neural network accelerators. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), 2018. 393\u2013406"},{"key":"4388_CR209","doi-asserted-by":"publisher","first-page":"12079","DOI":"10.1109\/JIOT.2021.3061314","volume":"8","author":"S Maji","year":"2021","unstructured":"Maji S, Banerjee U, Chandrakasan A P. Leaky nets: recovering embedded neural network models and inputs through simple power and timing side-channels-attacks and defenses. IEEE Internet Things J, 2021, 8: 12079\u201312092","journal-title":"IEEE Internet Things J"},{"key":"4388_CR210","first-page":"5289","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"B Zhang","year":"2023","unstructured":"Zhang B, He X, Shen Y, et al. A plot is worth a thousand words: model information stealing attacks via scientific plots. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 5289\u20135306"},{"key":"4388_CR211","first-page":"1345","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"M Jagielski","year":"2020","unstructured":"Jagielski M, Carlini N, Berthelot D, et al. High accuracy and high fidelity extraction of neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1345\u20131362"},{"key":"4388_CR212","first-page":"1","volume-title":"Proceedings of ACM Conference on Fairness, Accountability, and Transparency (FAccT)","author":"S Milli","year":"2019","unstructured":"Milli S, Schmidt L, Dragan A D, et al. Model reconstruction from model explanations. In: Proceedings of ACM Conference on Fairness, Accountability, and Transparency (FAccT), 2019. 1\u20139"},{"key":"4388_CR213","first-page":"1835","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"A Naseh","year":"2023","unstructured":"Naseh A, Krishna K, Iyyer M, et al. Stealing the decoding algorithms of language models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 1835\u20131849"},{"key":"4388_CR214","unstructured":"Yi S, Liu Y, Sun Z, et al. Jailbreak attacks and defenses against large language models: a survey. 2024. ArXiv:2407.04295"},{"key":"4388_CR215","first-page":"132","volume-title":"Proceedings of IEEE Security and Privacy","author":"D Kang","year":"2024","unstructured":"Kang D, Li X, Stoica I, et al. Exploiting programmatic behavior of LLMs: dual-use through standard security attacks. In: Proceedings of IEEE Security and Privacy, 2024. 132\u2013143"},{"key":"4388_CR216","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Y Yuan","year":"2024","unstructured":"Yuan Y, Jiao W, Wang W, et al. GPT-4 is too smart to be safe: stealthy chat with LLMs via cipher. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR217","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Y Deng","year":"2024","unstructured":"Deng Y, Zhang W, Pan S J, et al. Multilingual jailbreak challenges in large language models. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR218","unstructured":"Russinovich M, Salem A, Eldan R. Great, now write an article about that: the crescendo multi-turn LLM jailbreak attack. 2024. ArXiv:2404.01833"},{"key":"4388_CR219","unstructured":"Zou A, Wang Z, Kolter J Z, et al. Universal and transferable adversarial attacks on aligned language models. 2023. ArXiv:2307.15043"},{"key":"4388_CR220","unstructured":"Andriushchenko M, Croce F, Flammarion N. Jailbreaking leading safety-aligned LLMs with simple adaptive attacks. 2024. ArXiv:2404.02151"},{"key":"4388_CR221","first-page":"16974","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"X Guo","year":"2024","unstructured":"Guo X, Yu F, Zhang H, et al. Cold-attack: jailbreaking LLMs with stealthiness and controllability. In: Proceedings of International Conference on Machine Learning (ICML), 2024. 16974\u201317002"},{"key":"4388_CR222","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"X Liu","year":"2024","unstructured":"Liu X, Xu N, Chen M, et al. AutoDAN: generating stealthy jailbreak prompts on aligned large language models. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR223","first-page":"80079","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"A Wei","year":"2023","unstructured":"Wei A, Haghtalab N, Steinhardt J. Jailbroken: how does LLM safety training fail? In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2023. 80079\u201380110"},{"key":"4388_CR224","first-page":"1671","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"X Shen","year":"2024","unstructured":"Shen X, Chen Z, Backes M, et al. \u201cDo anything now\u201d: characterizing and evaluating in-the-wild jailbreak prompts on large language models. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2024. 1671\u20131685"},{"key":"4388_CR225","unstructured":"Yao D, Zhang J, Harris I G, et al. FuzzLLM: a novel and universal fuzzing framework for proactively discovering jailbreak vulnerabilities in large language models. 2023. ArXiv:2309.05274"},{"key":"4388_CR226","first-page":"2136","volume-title":"Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT)","author":"P Ding","year":"2024","unstructured":"Ding P, Kuang J, Ma D, et al. A wolf in sheep\u2019s clothing: generalized nested jailbreak prompts can fool large language models easily. In: Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT), 2024. 2136\u20132153"},{"key":"4388_CR227","first-page":"24824","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"J Wei","year":"2022","unstructured":"Wei J, Wang X, Schuurmans D, et al. Chain-of-thought prompting elicits reasoning in large language models. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2022. 24824\u201324837"},{"key":"4388_CR228","first-page":"4138","volume-title":"Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP)","author":"H Li","year":"2023","unstructured":"Li H, Guo D, Fan W, et al. Multi-step jailbreaking privacy attacks on ChatGPT. In: Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2023. 4138\u20134153"},{"key":"4388_CR229","first-page":"16802","volume-title":"Proceedings of International Conference on Computational Linguistics (COLING)","author":"A Rao","year":"2024","unstructured":"Rao A, Naik A, Vashistha S, et al. Tricking LLMs into disobedience: formalizing, analyzing, and detecting jailbreaks. In: Proceedings of International Conference on Computational Linguistics (COLING), 2024. 16802\u201316830"},{"key":"4388_CR230","first-page":"129696","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"C Anil","year":"2024","unstructured":"Anil C, Durmus E, Rimsky N, et al. Many-shot jailbreaking. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2024. 129696\u2013129742"},{"key":"4388_CR231","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"Y Gong","year":"2025","unstructured":"Gong Y, Ran D, Liu J, et al. FigStep: jailbreaking large vision-language models via typographic visual prompts. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2025"},{"key":"4388_CR232","volume-title":"Proceedings of Conference on Language Modeling (COLM)","author":"W Luo","year":"2024","unstructured":"Luo W, Ma S, Liu X, et al. Jailbreakv: a benchmark for assessing the robustness of multimodal large language models against jailbreak attacks. In: Proceedings of Conference on Language Modeling (COLM), 2024"},{"key":"4388_CR233","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"E Shayegani","year":"2024","unstructured":"Shayegani E, Dong Y, Abu-Ghazaleh N. Jailbreak in pieces: compositional adversarial attacks on multi-modal language models. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR234","first-page":"3600","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"B Hui","year":"2024","unstructured":"Hui B, Yuan H, Gong N, et al. PLeak: prompt leaking attacks against large language model applications. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2024. 3600\u20133614"},{"key":"4388_CR235","first-page":"5823","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"X Shen","year":"2024","unstructured":"Shen X, Qu Y, Backes M, et al. Prompt stealing attacks against text-to-image generation models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 5823\u20135840"},{"key":"4388_CR236","first-page":"1849","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"R Zhang","year":"2024","unstructured":"Zhang R, Li H, Wen R, et al. Instruction backdoor attacks against customized LLMs. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 1849\u20131866"},{"key":"4388_CR237","unstructured":"Touvron H, Martin L, Stone K, et al. Llama 2: open foundation and fine-tuned chat models. 2023. ArXiv:2307.09288"},{"key":"4388_CR238","unstructured":"Jiang A Q, Sablayrolles A, Mensch A, et al. Mistral 7B. 2023. ArXiv:2310.06825"},{"key":"4388_CR239","unstructured":"Achiam J, Adler S, Agarwal S, et al. GPT-4 technical report. 2023. ArXiv:2303.08774"},{"key":"4388_CR240","first-page":"1631","volume-title":"Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP)","author":"R Socher","year":"2013","unstructured":"Socher R, Perelygin A, Wu J, et al. Recursive deep models for semantic compositionality over a sentiment treebank. In: Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2013. 1631\u20131642"},{"key":"4388_CR241","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1145\/2034691.2034742","volume-title":"Proceedings of ACM Symposium on Document Engineering (DocEng)","author":"T A Almeida","year":"2011","unstructured":"Almeida T A, Hidalgo J M G, Yamakami A. Contributions to the study of SMS spam filtering: new collection and results. In: Proceedings of ACM Symposium on Document Engineering (DocEng), 2011. 259\u2013262"},{"key":"4388_CR242","first-page":"649","volume":"1","author":"X Zhang","year":"2015","unstructured":"Zhang X, Zhao J, LeCun Y. Character-level convolutional networks for text classification. In: Proceedings of Advances in Neural Information Processing Systems, 2015. 1: 649\u2013657","journal-title":"Proceedings of Advances in Neural Information Processing Systems"},{"key":"4388_CR243","first-page":"722","volume-title":"Proceedings of International Semantic Web Conference (ISWC)","author":"S Auer","year":"2007","unstructured":"Auer S, Bizer C, Kobilarov G, et al. DBpedia: a nucleus for a web of open data. In: Proceedings of International Semantic Web Conference (ISWC), 2007. 722\u2013735"},{"key":"4388_CR244","unstructured":"Hou Y, Li J, He Z, et al. Bridging language and items for retrieval and recommendation. 2024. ArXiv:2403.03952"},{"key":"4388_CR245","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Z Xiang","year":"2024","unstructured":"Xiang Z, Jiang F, Xiong Z, et al. BadChain: backdoor chain-of-thought prompting for large language models. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR246","unstructured":"Anil R, Dai A M, Firat O, et al. PaLM 2 technical report. 2023. ArXiv:2305.10403"},{"key":"4388_CR247","first-page":"8018","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"D Jin","year":"2020","unstructured":"Jin D, Jin Z, Zhou J T, et al. Is BERT really robust? A strong baseline for natural language attack on text classification and entailment. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2020. 8018\u20138025"},{"key":"4388_CR248","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"B Wang","year":"2021","unstructured":"Wang B, Xu C, Wang S, et al. Adversarial GLUE: a multi-task benchmark for robustness evaluation of language models. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2021"},{"key":"4388_CR249","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"X Xu","year":"2024","unstructured":"Xu X, Kong K, Liu N, et al. An LLM can fool itself: a prompt-based adversarial attack. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR250","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"X Qi","year":"2024","unstructured":"Qi X, Zeng Y, Xie T, et al. Fine-tuning aligned language models compromises safety, even when users do not intend to! In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR251","first-page":"681","volume-title":"Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT)","author":"Q Zhan","year":"2024","unstructured":"Zhan Q, Fang R, Bindu R, et al. Removing RLHF protections in GPT-4 via fine-tuning. In: Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT), 2024. 681\u2013687"},{"key":"4388_CR252","unstructured":"Yang X, Wang X, Zhang Q, et al. Shadow alignment: the ease of subverting safely-aligned language models. 2023. ArXiv:2310.02949"},{"key":"4388_CR253","first-page":"3111","volume-title":"Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT)","author":"J Xu","year":"2024","unstructured":"Xu J, Ma M D, Wang F, et al. Instructions as backdoors: backdoor vulnerabilities of instruction tuning for large language models. In: Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT), 2024. 3111\u20133126"},{"key":"4388_CR254","unstructured":"Shi J, Liu Y, Zhou P, et al. BadGPT: exploring security vulnerabilities of ChatGPT via backdoor attacks to InstructGPT. 2023. ArXiv:2304.12298"},{"key":"4388_CR255","first-page":"12303","volume-title":"Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP)","author":"S Zhao","year":"2023","unstructured":"Zhao S, Wen J, Luu A T, et al. Prompt as triggers for backdoor attack: examining the vulnerability in language models. In: Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2023. 12303\u201312317"},{"key":"4388_CR256","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"J Rando","year":"2024","unstructured":"Rando J, Tram\u00e8r F. Universal jailbreak backdoors from poisoned human feedback. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR257","doi-asserted-by":"crossref","unstructured":"Zampieri M, Malmasi S, Nakov P, et al. Predicting the type and target of offensive posts in social media. 2019. ArXiv:1902.09666","DOI":"10.18653\/v1\/N19-1144"},{"key":"4388_CR258","unstructured":"Devlin J. BERT: pre-training of deep bidirectional transformers for language understanding. 2018. ArXiv:1810.04805"},{"key":"4388_CR259","unstructured":"Liu Y. RoBERTa: a robustly optimized BERT pretraining approach. 2019. ArXiv:1907.11692"},{"key":"4388_CR260","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Y Li","year":"2024","unstructured":"Li Y, Li T, Chen K, et al. BadEdit: backdooring large language models by model editing. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR261","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"J Zheng","year":"2025","unstructured":"Zheng J, Hu T, Cong T, et al. CL-Attack: textual backdoor attacks via cross-lingual triggers. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2025"},{"key":"4388_CR262","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"L Wang","year":"2025","unstructured":"Wang L, Wang J, Cong T, et al. From purity to peril: backdooring merged models from \u201charmless\u201d benign components. In: Proceedings of USENIX Security Symposium (USENIX Security), 2025"},{"key":"4388_CR263","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"T Dong","year":"2025","unstructured":"Dong T, Xue M, Chen G, et al. The Philosopher\u2019s Stone: Trojaning plugins of large language models. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR264","first-page":"22769","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"W Wang","year":"2022","unstructured":"Wang W, Levine A J, Feizi S. Improved certified defenses against data poisoning with (deterministic) finite aggregation. In: Proceedings of International Conference on Machine Learning (ICML), 2022. 22769\u201322783"},{"key":"4388_CR265","first-page":"10859","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"Y Wang","year":"2021","unstructured":"Wang Y, Mianjy P, Arora R. Robust learning for data poisoning attacks. In: Proceedings of International Conference on Machine Learning (ICML), 2021. 10859\u201310869"},{"key":"4388_CR266","first-page":"25154","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"Y Yang","year":"2022","unstructured":"Yang Y, Liu T Y, Mirzasoleiman B. Not all poisons are created equal: robust training against data poisoning. In: Proceedings of International Conference on Machine Learning (ICML), 2022. 25154\u201325165"},{"key":"4388_CR267","first-page":"11947","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"T Y Liu","year":"2022","unstructured":"Liu T Y, Yang Y, Mirzasoleiman B. Friendly noise against adversarial noise: a powerful defense against data poisoning attack. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2022. 11947\u201311959"},{"key":"4388_CR268","first-page":"3517","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"J Steinhardt","year":"2017","unstructured":"Steinhardt J, Koh P W W, Liang P S. Certified defenses for data poisoning attacks. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2017. 3517\u20133529"},{"key":"4388_CR269","first-page":"5","volume-title":"Proceedings of ECML PKDD 2018 Workshops","author":"A Paudice","year":"2018","unstructured":"Paudice A, Mu\u00f1oz-Gonz\u00e1lez L, Lupu E C. Label sanitization against label flipping poisoning attacks. In: Proceedings of ECML PKDD 2018 Workshops, 2018. 5\u201315"},{"key":"4388_CR270","doi-asserted-by":"crossref","unstructured":"Abbaszadeh K, Pappas C, Katz J, et al. Zero-knowledge proofs of training for deep neural networks. Cryptology ePrint Archive, 2024. https:\/\/eprint.iacr.org\/2024\/162","DOI":"10.1145\/3658644.3670316"},{"key":"4388_CR271","first-page":"1596","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"I Diakonikolas","year":"2019","unstructured":"Diakonikolas I, Kamath G, Kane D, et al. Sever: a robust meta-algorithm for stochastic optimization. In: Proceedings of International Conference on Machine Learning (ICML), 2019. 1596\u20131606"},{"key":"4388_CR272","first-page":"35413","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"A Wan","year":"2023","unstructured":"Wan A, Wallace E, Shen S, et al. Poisoning language models during instruction tuning. In: Proceedings of International Conference on Machine Learning (ICML), 2023. 35413\u201335425"},{"key":"4388_CR273","first-page":"707","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"B Wang","year":"2019","unstructured":"Wang B, Yao Y, Shan S, et al. Neural cleanse: identifying and mitigating backdoor attacks in neural networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2019. 707\u2013723"},{"key":"4388_CR274","first-page":"4658","volume-title":"Proceedings of International Joint Conferences on Artificial Intelligence (IJCAI)","author":"H Chen","year":"2019","unstructured":"Chen H, Fu C, Zhao J, et al. DeepInspect: a black-box Trojan detection and mitigation framework for deep neural networks. In: Proceedings of International Joint Conferences on Artificial Intelligence (IJCAI), 2019. 4658\u20134664"},{"key":"4388_CR275","first-page":"103","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Xu","year":"2021","unstructured":"Xu X, Wang Q, Li H, et al. Detecting AI Trojans using meta neural analysis. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 103\u2013120"},{"key":"4388_CR276","first-page":"1541","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"D Tang","year":"2021","unstructured":"Tang D, Wang X, Tang H, et al. Demon in the variant: statistical analysis of DNNs for robust backdoor contamination detection. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1541\u20131558"},{"key":"4388_CR277","first-page":"2255","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"A Azizi","year":"2021","unstructured":"Azizi A, Tahmid I A, Waheed A, et al. T-Miner: a generative approach to defend against Trojan attacks on DNN-based text classification. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2255\u20132272"},{"key":"4388_CR278","first-page":"2025","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Liu","year":"2022","unstructured":"Liu Y, Shen G, Tao G, et al. Piccolo: exposing complex backdoors in NLP transformer models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 2025\u20132042"},{"key":"4388_CR279","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"S Cheng","year":"2023","unstructured":"Cheng S, Tao G, Liu Y, et al. BEAGLE: forensics of deep learning backdoor attack for better defense. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR280","first-page":"755","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Gong","year":"2023","unstructured":"Gong X, Chen Y, Yang W, et al. Redeem myself: purifying backdoors in deep learning models using self attention distillation. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 755\u2013772"},{"key":"4388_CR281","first-page":"1703","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Cheng","year":"2024","unstructured":"Cheng S, Shen G, Tao G, et al. ODSCAN: backdoor scanning for object detection models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 1703\u20131721"},{"key":"4388_CR282","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Z Sun","year":"2025","unstructured":"Sun Z, Cong T, Liu Y, et al. PEFTGuard: detecting backdoor attacks against parameter-efficient fine-tuning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2025"},{"key":"4388_CR283","volume-title":"Proceedings of Workshop on Artificial Intelligence Safety 2019 co-located with the 33rd AAAI Conference on Artificial Intelligence","author":"B Chen","year":"2019","unstructured":"Chen B, Carvalho W, Baracaldo N, et al. Detecting backdoor attacks on deep neural networks by activation clustering. In: Proceedings of Workshop on Artificial Intelligence Safety 2019 co-located with the 33rd AAAI Conference on Artificial Intelligence, 2019"},{"key":"4388_CR284","first-page":"8011","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"B Tran","year":"2018","unstructured":"Tran B, Li J, Madry A. Spectral signatures in backdoor attacks. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2018. 8011\u20138021"},{"key":"4388_CR285","first-page":"3575","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"S Shan","year":"2022","unstructured":"Shan S, Bhagoji A N, Zheng H, et al. Poison forensics: traceback of data poisoning attacks in neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 3575\u20133592"},{"key":"4388_CR286","first-page":"1265","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Liu","year":"2019","unstructured":"Liu Y, Lee W, Tao G, et al. ABS: scanning neural networks for back-doors by artificial brain stimulation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019. 1265\u20131282"},{"key":"4388_CR287","first-page":"67","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"S Shan","year":"2020","unstructured":"Shan S, Wenger E, Wang B, et al. Gotta catch\u2019em all: using honeypots to catch adversarial attacks on neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 67\u201383"},{"key":"4388_CR288","first-page":"2232","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"A Rajabi","year":"2023","unstructured":"Rajabi A, Asokraj S, Jiang F, et al. MDTD: a multi-domain Trojan detector for deep neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 2232\u20132246"},{"key":"4388_CR289","first-page":"2048","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Mo","year":"2024","unstructured":"Mo X, Zhang Y, Zhang L Y, et al. Robust backdoor detection for deep learning via topological evolution dynamics. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2048\u20132066"},{"key":"4388_CR290","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"W Ma","year":"2023","unstructured":"Ma W, Wang D, Sun R, et al. The \u201cBeatrix\u201d resurrections: robust backdoor detection via gram matrices. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR291","first-page":"14983","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Y Liu","year":"2022","unstructured":"Liu Y, Shen G, Tao G, et al. Complex backdoor detection by symmetric feature differencing. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2022. 14983\u201314993"},{"key":"4388_CR292","unstructured":"Xu X, Liu Z, Koffas S, et al. BAN: detecting backdoors activated by adversarial neuron noise. 2024. ArXiv:2405.19928"},{"key":"4388_CR293","first-page":"273","volume-title":"Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses (RAID)","author":"K Liu","year":"2018","unstructured":"Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: defending against backdooring attacks on deep neural networks. In: Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2018. 273\u2013294"},{"key":"4388_CR294","first-page":"16913","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"D Wu","year":"2021","unstructured":"Wu D, Wang Y. Adversarial neuron pruning purifies backdoored deep models. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2021. 16913\u201316925"},{"key":"4388_CR295","first-page":"175","volume-title":"Proceedings of European Conference on Computer Vision (ECCV)","author":"R Zheng","year":"2022","unstructured":"Zheng R, Tang R, Li J, et al. Data-free backdoor removal based on channel Lipschitzness. In: Proceedings of European Conference on Computer Vision (ECCV), 2022. 175\u2013191"},{"key":"4388_CR296","first-page":"19837","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"Y Li","year":"2023","unstructured":"Li Y, Lyu X, Ma X, et al. Reconstructive neuron pruning for backdoor defense. In: Proceedings of International Conference on Machine Learning (ICML), 2023. 19837\u201319854"},{"key":"4388_CR297","first-page":"141","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Zhao","year":"2021","unstructured":"Zhao Y, Zhu H, Chen K, et al. AI-Lancet: locating error-inducing neurons to optimize neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 141\u2013158"},{"key":"4388_CR298","first-page":"338","volume-title":"Proceedings of IEEE\/ACM International Conference on Software Engineering (ICSE)","author":"B Sun","year":"2022","unstructured":"Sun B, Sun J, Pham L H, et al. Causality-based neural network repair. In: Proceedings of IEEE\/ACM International Conference on Software Engineering (ICSE), 2022. 338\u2013349"},{"key":"4388_CR299","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"P Zhao","year":"2020","unstructured":"Zhao P, Chen P, Das P, et al. Bridging mode connectivity in loss landscapes and adversarial robustness. In: Proceedings of International Conference on Learning Representations (ICLR), 2020"},{"key":"4388_CR300","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Y Zeng","year":"2022","unstructured":"Zeng Y, Chen S, Park W, et al. Adversarial unlearning of backdoors via implicit hypergradient. In: Proceedings of International Conference on Learning Representations (ICLR), 2022"},{"key":"4388_CR301","first-page":"2883","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"B Sun","year":"2024","unstructured":"Sun B, Sun J, Koh W, et al. Neural network semantic backdoor detection and mitigation: a causality-based approach. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 2883\u20132900"},{"key":"4388_CR302","first-page":"8230","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"E Rosenfeld","year":"2020","unstructured":"Rosenfeld E, Winston E, Ravikumar P, et al. Certified robustness to label-flipping attacks via randomized smoothing. In: Proceedings of International Conference on Machine Learning (ICML), 2020. 8230\u20138241"},{"key":"4388_CR303","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"A Levine","year":"2021","unstructured":"Levine A, Feizi S. Deep partition aggregation: provable defenses against general poisoning attacks. In: Proceedings of International Conference on Learning Representations (ICLR), 2021"},{"key":"4388_CR304","first-page":"1311","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"M Weber","year":"2023","unstructured":"Weber M, Xu X, Karlas B, et al. RAB: provable robustness against backdoor attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1311\u20131328"},{"key":"4388_CR305","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Pei","year":"2024","unstructured":"Pei H, Jia J, Guo W, et al. TextGuard: provable defense against backdoor attacks on text classification. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR306","unstructured":"Zhang M, Salem A, Backes M, et al. Vera verto: multimodal hijacking attack. 2024. ArXiv:2408.00129"},{"key":"4388_CR307","first-page":"9558","volume-title":"Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP)","author":"F Qi","year":"2021","unstructured":"Qi F, Chen Y, Li M, et al. ONION: a simple and effective defense against textual backdoor attacks. In: Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2021. 9558\u20139566"},{"key":"4388_CR308","unstructured":"Ghorbel M, Bouzidi H, Bilasco I M, et al. Model for peanuts: hijacking ML models without training access is possible. 2024. ArXiv:2406.01708"},{"key":"4388_CR309","first-page":"535","volume-title":"Proceedings of ACM Conference on Knowledge Discovery and Data Mining (KDD)","author":"C Buciluundefined","year":"2006","unstructured":"Buciluundefined C, Caruana R, Niculescu-Mizil A. Model compression. In: Proceedings of ACM Conference on Knowledge Discovery and Data Mining (KDD), 2006. 535\u2013541"},{"key":"4388_CR310","first-page":"119","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"P Blanchard","year":"2017","unstructured":"Blanchard P, Mhamdi E M E, Guerraoui R, et al. Machine learning with adversaries: Byzantine tolerant gradient descent. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2017. 119\u2013129"},{"key":"4388_CR311","first-page":"5636","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"D Yin","year":"2018","unstructured":"Yin D, Chen Y, Ramchandran K, et al. Byzantine-robust distributed learning: towards optimal statistical rates. In: Proceedings of International Conference on Machine Learning (ICML), 2018. 5636\u20135645"},{"key":"4388_CR312","first-page":"1961","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"M Rathee","year":"2023","unstructured":"Rathee M, Shen C, Wagh S, et al. ELSA: secure aggregation for federated learning with malicious actors. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1961\u20131979"},{"key":"4388_CR313","first-page":"2874","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Fang","year":"2024","unstructured":"Fang M, Zhang Z, Hairi, et al. Byzantine-robust decentralized federated learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2024. 2874\u20132888"},{"key":"4388_CR314","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"X Cao","year":"2021","unstructured":"Cao X, Fang M, Liu J, et al. FLTrust: Byzantine-robust federated learning via trust bootstrapping. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2021"},{"key":"4388_CR315","first-page":"1273","volume-title":"Proceedings of International Conference on Artificial Intelligence and Statistics (AISTATS)","author":"B McMahan","year":"2017","unstructured":"McMahan B, Moore E, Ramage D, et al. Communication-efficient learning of deep networks from decentralized data. In: Proceedings of International Conference on Artificial Intelligence and Statistics (AISTATS), 2017. 1273\u20131282"},{"key":"4388_CR316","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"T Chu","year":"2023","unstructured":"Chu T, Garc\u00eda-Recuero \u00c1, Iordanou C, et al. Securing federated sensitive topic classification against poisoning attacks. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR317","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1093\/biomet\/69.1.242","volume":"69","author":"A F Siegel","year":"1982","unstructured":"Siegel A F. Robust regression using repeated medians. Biometrika, 1982, 69: 242\u2013244","journal-title":"Biometrika"},{"key":"4388_CR318","first-page":"453","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Lycklama","year":"2023","unstructured":"Lycklama H, Burkhalter L, Viand A, et al. RoFL: robustness of secure federated learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 453\u2013476"},{"key":"4388_CR319","first-page":"2535","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"A R Chowdhury","year":"2022","unstructured":"Chowdhury A R, Guo C, Jha S, et al. EIFFeL: ensuring integrity for federated learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2535\u20132549"},{"key":"4388_CR320","first-page":"4805","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"J Bell","year":"2023","unstructured":"Bell J, Gasc\u00f3n A, Lepoint T, et al. ACORN: input validation for secure aggregation. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 4805\u20134822"},{"key":"4388_CR321","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Fereidooni","year":"2024","unstructured":"Fereidooni H, Pegoraro A, Rieger P, et al. FreqFed: a frequency analysis-based approach for mitigating poisoning attacks in federated learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR322","unstructured":"Nguyen T D, Rieger P, Yalame H, et al. FLGUARD: secure and private federated learning. 2021. ArXiv:2101.02281"},{"key":"4388_CR323","first-page":"852","volume-title":"Proceedings of IEEE International Conference on Distributed Computing Systems (ICDCS)","author":"S Andreina","year":"2021","unstructured":"Andreina S, Marson G A, M\u00f6llering H, et al. BaFFLe: backdoor detection via feedback-based federated learning. In: Proceedings of IEEE International Conference on Distributed Computing Systems (ICDCS), 2021. 852\u2013863"},{"key":"4388_CR324","first-page":"737","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"K Kumari","year":"2023","unstructured":"Kumari K, Rieger P, Fereidooni H, et al. BayBFed: Bayesian backdoor defense for federated learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 737\u2013754"},{"key":"4388_CR325","unstructured":"Sun Z, Kairouz P, Suresh A T, et al. Can you really backdoor federated learning? 2019. ArXiv:1911.07963"},{"key":"4388_CR326","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"P Rieger","year":"2022","unstructured":"Rieger P, Nguyen T D, Miettinen M, et al. DeepSight: mitigating backdoor attacks in federated learning through deep model inspection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR327","first-page":"1415","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"T D Nguyen","year":"2022","unstructured":"Nguyen T D, Rieger P, Chen H, et al. FLAME: taming backdoors in federated learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 1415\u20131432"},{"key":"4388_CR328","first-page":"1526","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"T Krau\u00df","year":"2023","unstructured":"Krau\u00df T, Dmitrienko A. MESAS: poisoning defense for federated learning resilient against adaptive attackers. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 1526\u20131540"},{"key":"4388_CR329","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"P Rieger","year":"2024","unstructured":"Rieger P, Krau\u00df T, Miettinen M, et al. CrowdGuard: federated backdoor detection in federated learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR330","first-page":"304","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"N Wu","year":"2020","unstructured":"Wu N, Farokhi F, Smith D B, et al. The value of collaboration in convex machine learning with differential privacy. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2020. 304\u2013317"},{"key":"4388_CR331","first-page":"2249","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"S Maddock","year":"2022","unstructured":"Maddock S, Cormode G, Wang T, et al. Federated boosted decision trees with differential privacy. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 2249\u20132263"},{"key":"4388_CR332","doi-asserted-by":"crossref","unstructured":"Liu J, Lou J, Xiong L, et al. Cross-silo federated learning with record-level personalized differential privacy. 2024. ArXiv:2401.16251","DOI":"10.1145\/3658644.3670351"},{"key":"4388_CR333","unstructured":"Geyer R C, Klein T, Nabi M. Differentially private federated learning: a client level perspective. 2017. ArXiv:1712.07557"},{"key":"4388_CR334","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"H B McMahan","year":"2018","unstructured":"McMahan H B, Ramage D, Talwar K, et al. Learning differentially private recurrent language models. In: Proceedings of International Conference on Learning Representations (ICLR), 2018"},{"key":"4388_CR335","first-page":"308","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Abadi","year":"2016","unstructured":"Abadi M, Chu A, Goodfellow I J, et al. Deep learning with differential privacy. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016. 308\u2013318"},{"key":"4388_CR336","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"M Naseri","year":"2022","unstructured":"Naseri M, Hayes J, Cristofaro E D. Local and central differential privacy for robustness and privacy in federated learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR337","first-page":"1379","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"T Stevens","year":"2022","unstructured":"Stevens T, Skalka C, Vincent C, et al. Efficient differentially private secure aggregation for federated learning via hardness of learning with errors. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 1379\u20131395"},{"key":"4388_CR338","first-page":"84","volume-title":"Proceedings of Annual ACM Symposium on Theory of Computing (STOC)","author":"O Regev","year":"2005","unstructured":"Regev O. On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of Annual ACM Symposium on Theory of Computing (STOC), 2005. 84\u201393"},{"key":"4388_CR339","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"S Sav","year":"2021","unstructured":"Sav S, Pyrgelis A, Troncoso-Pastoriza J R, et al. POSEIDON: privacy-preserving federated neural network learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2021"},{"key":"4388_CR340","first-page":"1908","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"D Froelicher","year":"2023","unstructured":"Froelicher D, Cho H, Edupalli M, et al. Scalable and privacy-preserving federated principal component analysis. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1908\u20131925"},{"key":"4388_CR341","volume-title":"Proceedings of the NeurIPS 2019 Workshop on Robust AI in Financial Services","author":"V Mugunthan","year":"2019","unstructured":"Mugunthan V, Polychroniadou A, Byrd D, et al. SMPAI: secure multi-party computation for federated learning. In: Proceedings of the NeurIPS 2019 Workshop on Robust AI in Financial Services, 2019"},{"key":"4388_CR342","first-page":"3065","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security","author":"S Patel","year":"2024","unstructured":"Patel S, Persiano G, Seo J Y, et al. Efficient secret sharing for large-scale applications. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2024. 3065\u20133079"},{"key":"4388_CR343","doi-asserted-by":"crossref","unstructured":"Lin G, Han W, Ruan W, et al. Ents: an efficient three-party training framework for decision trees by communication optimization. 2024. ArXiv:2406.07948","DOI":"10.1145\/3658644.3670274"},{"key":"4388_CR344","first-page":"343","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Jiang","year":"2024","unstructured":"Jiang Z, Ye P, He S, et al. Lotto: secure participant selection against adversarial servers in federated learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 343\u2013360"},{"key":"4388_CR345","unstructured":"Titcombe T, Hall A J, Papadopoulos P, et al. Practical defences against model inversion attacks for split neural networks. 2021. ArXiv:2104.05743"},{"key":"4388_CR346","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"O Li","year":"2022","unstructured":"Li O, Sun J, Yang X, et al. Label leakage and protection in two-party split learning. In: Proceedings of International Conference on Learning Representations (ICLR), 2022"},{"key":"4388_CR347","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1145\/3320269.3384740","volume-title":"Proceedings of ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"S Abuadbba","year":"2020","unstructured":"Abuadbba S, Kim K, Kim M, et al. Can we use split learning on 1D CNN models for privacy preserving training? In: Proceedings of ACM Asia Conference on Computer and Communications Security (ASIACCS), 2020. 305\u2013318"},{"key":"4388_CR348","unstructured":"Yang X, Sun J, Yao Y, et al. Differentially private label protection in split learning. 2022. ArXiv:2203.02073"},{"key":"4388_CR349","doi-asserted-by":"publisher","first-page":"1539","DOI":"10.1109\/TIFS.2023.3243490","volume":"18","author":"Z Wang","year":"2023","unstructured":"Wang Z, Yang G, Dai H, et al. Privacy-preserving split learning for large-scaled vision pre-training. IEEE Trans Inform Forensic Secur, 2023, 18: 1539\u20131553","journal-title":"IEEE Trans Inform Forensic Secur"},{"key":"4388_CR350","unstructured":"Oh S, Baek S, Park J, et al. Privacy-preserving split learning with vision transformers using patch-wise random and noisy cutmix. 2024. ArXiv:2408.01040"},{"key":"4388_CR351","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1145\/3559613.3563198","volume-title":"Proceedings of the 21st Workshop on Privacy in the Electronic Society, WPES2022","author":"E Erdogan","year":"2022","unstructured":"Erdogan E, K\u00fcp\u00e7\u00fc A, \u00c7i\u00e7ek A E. SplitGuard: detecting and mitigating training-hijacking attacks in split learning. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society, WPES2022, 2022. 125\u2013137"},{"key":"4388_CR352","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"J Fu","year":"2023","unstructured":"Fu J, Ma X, Zhu B B, et al. Focusing on Pinocchio\u2019s nose: a gradients scrutinizer to thwart split-learning hijacking attacks using intrinsic attributes. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR353","series-title":"Dissertation for Ph.D. Degree","volume-title":"A fully homomorphic encryption scheme","author":"C Gentry","year":"2009","unstructured":"Gentry C. A fully homomorphic encryption scheme. Dissertation for Ph.D. Degree. Palo Alto: Stanford University, 2009"},{"key":"4388_CR354","first-page":"201","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"R Gilad-Bachrach","year":"2016","unstructured":"Gilad-Bachrach R, Dowlin N, Laine K, et al. CryptoNets: applying neural networks to encrypted data with high throughput and accuracy. In: Proceedings of International Conference on Machine Learning (ICML), 2016. 201\u2013210"},{"key":"4388_CR355","first-page":"812","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"A Brutzkus","year":"2019","unstructured":"Brutzkus A, Gilad-Bachrach R, Elisha O. Low latency privacy preserving inference. In: Proceedings of International Conference on Machine Learning (ICML), 2019. 812\u2013821"},{"key":"4388_CR356","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"Q Lou","year":"2021","unstructured":"Lou Q, Shen Y, Jin H, et al. SAFENet: a secure, accurate and fast neural network inference. In: Proceedings of International Conference on Learning Representations (ICLR), 2021"},{"key":"4388_CR357","first-page":"7102","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"Q Lou","year":"2021","unstructured":"Lou Q, Jiang L. HEMET: a homomorphic-encryption-friendly privacy-preserving mobile neural network architecture. In: Proceedings of International Conference on Machine Learning (ICML), 2021. 7102\u20137110"},{"key":"4388_CR358","doi-asserted-by":"publisher","first-page":"3711","DOI":"10.1109\/TDSC.2021.3105111","volume":"19","author":"E Lee","year":"2022","unstructured":"Lee E, Lee J W, No J S, et al. Minimax approximation of sign function by composite polynomial for homomorphic comparison. IEEE Trans Dependable Secure Comput, 2022, 19: 3711\u20133727","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"4388_CR359","first-page":"1057","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"W Lu","year":"2021","unstructured":"Lu W, Huang Z, Hong C, et al. PEGASUS: bridging polynomial and non-polynomial evaluations in homomorphic encryption. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 1057\u20131073"},{"key":"4388_CR360","first-page":"12403","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"E Lee","year":"2022","unstructured":"Lee E, Lee J, Lee J, et al. Low-complexity deep convolutional neural networks on fully homomorphic encryption using multiplexed parallel convolutions. In: Proceedings of International Conference on Machine Learning (ICML), 2022. 12403\u201312422"},{"key":"4388_CR361","first-page":"19","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"P Mohassel","year":"2017","unstructured":"Mohassel P, Zhang Y. SecureML: a system for scalable privacy-preserving machine learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2017. 19\u201338"},{"key":"4388_CR362","first-page":"35","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"P Mohassel","year":"2018","unstructured":"Mohassel P, Rindal P. Aby3: a mixed protocol framework for machine learning. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018. 35\u201352"},{"key":"4388_CR363","first-page":"2505","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"P Mishra","year":"2020","unstructured":"Mishra P, Lehmkuhl R, Srinivasan A, et al. DELPHI: a cryptographic inference service for neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 2505\u20132522"},{"key":"4388_CR364","first-page":"325","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"D Rathee","year":"2020","unstructured":"Rathee D, Rathee M, Kumar N, et al. CrypTFlow2: practical 2-party secure inference. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 325\u2013342"},{"key":"4388_CR365","first-page":"1003","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"D Rathee","year":"2021","unstructured":"Rathee D, Rathee M, Goli R K K, et al. SIRNN: a math library for secure RNN inference. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 1003\u20131020"},{"key":"4388_CR366","first-page":"534","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"L Zhou","year":"2023","unstructured":"Zhou L, Wang Z, Cui H, et al. Bicoptor: two-round secure three-party non-linear computation without preprocessing for privacy-preserving machine learning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 534\u2013551"},{"key":"4388_CR367","first-page":"1939","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"F Liu","year":"2024","unstructured":"Liu F, Xie X, Yu Y. Scalable multi-party computation protocols for machine learning in the honest-majority setting. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 1939\u20131956"},{"key":"4388_CR368","first-page":"809","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Z Huang","year":"2022","unstructured":"Huang Z, Lu W, Hong C, et al. Cheetah: lean and fast secure two-party deep neural network inference. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 809\u2013826"},{"key":"4388_CR369","first-page":"6435","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"W Lu","year":"2023","unstructured":"Lu W, Huang Z, Zhang Q, et al. Squirrel: a scalable secure two-party computation framework for training gradient boosting decision tree. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 6435\u20136451"},{"key":"4388_CR370","first-page":"1021","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Tan","year":"2021","unstructured":"Tan S, Knott B, Tian Y, et al. CryptGPU: fast privacy-preserving machine learning on the GPU. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 1021\u20131038"},{"key":"4388_CR371","first-page":"827","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"J L Watson","year":"2022","unstructured":"Watson J L, Wagh S, Popa R A. Piranha: a GPU platform for secure computation. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 827\u2013844"},{"key":"4388_CR372","first-page":"2651","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"N Koti","year":"2021","unstructured":"Koti N, Pancholi M, Patra A, et al. SWIFT: super-fast and robust privacy-preserving machine learning. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2651\u20132668"},{"key":"4388_CR373","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"N Koti","year":"2022","unstructured":"Koti N, Patra A, Rachuri R, et al. Tetrad: actively secure 4PC for secure training and inference. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2022"},{"key":"4388_CR374","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Chaudhari","year":"2020","unstructured":"Chaudhari H, Rachuri R, Suresh A. Trident: efficient 4PC framework for privacy preserving machine learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2020"},{"key":"4388_CR375","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"A Patra","year":"2020","unstructured":"Patra A, Suresh A. BLAZE: blazing fast privacy-preserving machine learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2020"},{"key":"4388_CR376","first-page":"2183","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"A P K Dalskov","year":"2021","unstructured":"Dalskov A P K, Escudero D, Keller M. Fantastic four: honest-majority four-party secure computation with malicious security. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2183\u20132200"},{"key":"4388_CR377","first-page":"2227","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"B Yuan","year":"2024","unstructured":"Yuan B, Yang S, Zhang Y, et al. MD-ML: super fast privacy-preserving machine learning for malicious security with a dishonest majority. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 2227\u20132244"},{"key":"4388_CR378","first-page":"4961","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"B Knott","year":"2021","unstructured":"Knott B, Venkataraman S, Hannun A Y, et al. CrypTen: secure multi-party computation meets machine learning. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2021. 4961\u20134973"},{"key":"4388_CR379","first-page":"1575","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Keller","year":"2020","unstructured":"Keller M. MP-SPDZ: a versatile framework for multi-party computation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 1575\u20131590"},{"key":"4388_CR380","unstructured":"Costan V, Devadas S. Intel SGX explained. Cryptology ePrint Archive, 2016. https:\/\/eprint.iacr.org\/2016\/086"},{"key":"4388_CR381","unstructured":"ARM. ARM security technology: building a secure system using TrustZone technology, 2004. https:\/\/www.arm.com\/products\/security-on-arm\/trustzone"},{"key":"4388_CR382","first-page":"640","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Xu","year":"2015","unstructured":"Xu Y, Cui W, Peinado M. Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2015. 640\u2013656"},{"key":"4388_CR383","first-page":"1741","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J van Bulck","year":"2019","unstructured":"van Bulck J, Oswald D, Marin E, et al. A tale of two worlds: assessing the vulnerability of enclave shielding runtimes. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019. 1741\u20131758"},{"key":"4388_CR384","first-page":"355","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"M Lipp","year":"2021","unstructured":"Lipp M, Kogler A, Oswald D, et al. PLATYPUS: software-based power side-channel attacks on x86. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 355\u2013371"},{"key":"4388_CR385","first-page":"619","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"O Ohrimenko","year":"2016","unstructured":"Ohrimenko O, Schuster F, Fournet C, et al. Oblivious multi-party machine learning on trusted processors. In: Proceedings of USENIX Security Symposium (USENIX Security), 2016. 619\u2013636"},{"key":"4388_CR386","first-page":"1039","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"R Poddar","year":"2020","unstructured":"Poddar R, Ananthanarayanan G, Setty S, et al. Visor: privacy-preserving video analytics as a cloud service. In: Proceedings of USENIX Security Symposium (USENIX Security), 2020. 1039\u20131056"},{"key":"4388_CR387","unstructured":"Hashemi H, Wang Y, Annavaram M. DarKnight: a data privacy scheme for training and inference of deep neural networks. 2020. ArXiv:2006.01300"},{"key":"4388_CR388","unstructured":"Hunt T, Song C, Shokri R, et al. Chiron: privacy-preserving machine learning as a service. 2018. ArXiv:1803.05961"},{"key":"4388_CR389","unstructured":"Kunkel R, Quoc D L, Gregor F, et al. Tensorscone: a secure tensorflow framework using intel SGX. 2019. ArXiv:1902.04413"},{"key":"4388_CR390","unstructured":"Tramer F, Boneh D. Slalom: fast, verifiable and private execution of neural networks in trusted hardware. 2018. ArXiv:1806.03287"},{"key":"4388_CR391","first-page":"3327","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Z Zhang","year":"2024","unstructured":"Zhang Z, Gong C, Cai Y, et al. No privacy left outside: on the (in-) security of tee-shielded DNN partition for on-device ML. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 3327\u20133345"},{"key":"4388_CR392","first-page":"1596","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Z Sun","year":"2023","unstructured":"Sun Z, Sun R, Liu C, et al. ShadowNet: a secure and efficient on-device model inference system for convolutional neural networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2023. 1596\u20131612"},{"key":"4388_CR393","first-page":"14876","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"L K Ng","year":"2021","unstructured":"Ng L K, Chow S S, Woo A P, et al. Goten: GPU-outsourcing trusted execution of neural network training. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2021. 14876\u201314883"},{"key":"4388_CR394","unstructured":"NVIDIA. NVIDIA confidential computing. 2022. https:\/\/www.nvidia.com\/en-us\/data-center\/solutions\/confidentialcomputing\/"},{"key":"4388_CR395","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3523273","volume":"54","author":"H Hu","year":"2022","unstructured":"Hu H, Salcic Z, Sun L, et al. Membership inference attacks on machine learning: a survey. ACM Comput Surv, 2022, 54: 1\u201337","journal-title":"ACM Comput Surv"},{"key":"4388_CR396","first-page":"5345","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"Y Kaya","year":"2021","unstructured":"Kaya Y, Dumitras T. When does data augmentation help with membership inference attacks? In: Proceedings of International Conference on Machine Learning (ICML), 2021. 5345\u20135355"},{"key":"4388_CR397","first-page":"634","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Nasr","year":"2018","unstructured":"Nasr M, Shokri R, Houmansadr A. Machine learning with membership privacy using adversarial regularization. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018. 634\u2013646"},{"key":"4388_CR398","first-page":"9549","volume-title":"Proceedings of AAAI Conference on Artificial Intelligence (AAAI)","author":"V Shejwalkar","year":"2021","unstructured":"Shejwalkar V, Houmansadr A. Membership privacy for machine learning models through knowledge transfer. In: Proceedings of AAAI Conference on Artificial Intelligence (AAAI), 2021. 9549\u20139557"},{"key":"4388_CR399","first-page":"1433","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"X Tang","year":"2022","unstructured":"Tang X, Mahloujifar S, Song L, et al. Mitigating membership inference attacks by self-distillation through a novel ensemble architecture. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 1433\u20131450"},{"key":"4388_CR400","first-page":"259","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"J Jia","year":"2019","unstructured":"Jia J, Salem A, Backes M, et al. MemGuard: defending against black-box membership inference attacks via adversarial examples. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019. 259\u2013274"},{"key":"4388_CR401","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Z Chen","year":"2024","unstructured":"Chen Z, Pattabiraman K. Overconfidence is a dangerous thing: mitigating membership inference attacks by enforcing less confident prediction. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR402","first-page":"2633","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"N Carlini","year":"2021","unstructured":"Carlini N, Tram\u00e8r F, Wallace E, et al. Extracting training data from large language models. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 2633\u20132650"},{"key":"4388_CR403","first-page":"3","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"R Shokri","year":"2017","unstructured":"Shokri R, Stronati M, Song C, et al. Membership inference attacks against machine learning models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2017. 3\u201318"},{"key":"4388_CR404","first-page":"463","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Y Cao","year":"2015","unstructured":"Cao Y, Yang J. Towards making systems forget with machine unlearning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2015. 463\u2013480"},{"key":"4388_CR405","first-page":"141","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"L Bourtoule","year":"2021","unstructured":"Bourtoule L, Chandrasekaran V, Choquette-Choo C A, et al. Machine unlearning. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 141\u2013159"},{"key":"4388_CR406","first-page":"1092","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"J Brophy","year":"2021","unstructured":"Brophy J, Lowd D. Machine unlearning for random forests. In: Proceedings of International Conference on Machine Learning (ICML), 2021. 1092\u20131104"},{"key":"4388_CR407","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"A Warnecke","year":"2023","unstructured":"Warnecke A, Pirch L, Wressnegger C, et al. Machine unlearning of features and labels. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2023"},{"key":"4388_CR408","first-page":"303","volume-title":"Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)","author":"A Thudi","year":"2022","unstructured":"Thudi A, Deza G, Chandrasekaran V, et al. Unrolling SGD: understanding factors influencing machine unlearning. In: Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P), 2022. 303\u2013319"},{"key":"4388_CR409","first-page":"3832","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"C Guo","year":"2020","unstructured":"Guo C, Goldstein T, Hannun A Y, et al. Certified data removal from machine learning models. In: Proceedings of International Conference on Machine Learning (ICML), 2020. 3832\u20133842"},{"key":"4388_CR410","first-page":"896","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"M Chen","year":"2021","unstructured":"Chen M, Zhang Z, Wang T, et al. When machine unlearning jeopardizes privacy. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 896\u2013911"},{"key":"4388_CR411","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"H Hu","year":"2024","unstructured":"Hu H, Wang S, Chang J, et al. A duty to forget, a right to be assured? Exposing vulnerabilities in machine unlearning services. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR412","doi-asserted-by":"crossref","unstructured":"Rivest R. RFC 1321: the MD5 message-digest algorithm. 1992. https:\/\/www.rfc-editor.org\/rfc\/pdfrfc\/rfc1321.txt.pdf","DOI":"10.17487\/rfc1321"},{"key":"4388_CR413","doi-asserted-by":"publisher","first-page":"228","DOI":"10.1016\/j.ins.2021.06.073","volume":"576","author":"M Botta","year":"2021","unstructured":"Botta M, Cavagnino D, Esposito R. NeuNAC: a novel fragile watermarking algorithm for integrity protection of neural networks. Inf Sci, 2021, 576: 228\u2013241","journal-title":"Inf Sci"},{"key":"4388_CR414","first-page":"1","volume-title":"Proceedings of IEEE\/ACM International Conference on Computer-Aided Design (ICCAD)","author":"M Javaheripi","year":"2021","unstructured":"Javaheripi M, Koushanfar F. Hashtag: hash signatures for online detection of fault-injection attacks on deep neural networks. In: Proceedings of IEEE\/ACM International Conference on Computer-Aided Design (ICCAD), 2021. 1\u20139"},{"key":"4388_CR415","first-page":"4729","volume-title":"Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Z He","year":"2019","unstructured":"He Z, Zhang T, Lee R. Sensitive-sample fingerprinting of deep neural networks. In: Proceedings of IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2019. 4729\u20134737"},{"key":"4388_CR416","first-page":"280","volume-title":"Proceedings of International Conference on Knowledge Science, Engineering and Management (KSEM)","author":"R Zhu","year":"2021","unstructured":"Zhu R, Wei P, Li S, et al. Fragile neural network watermarking with trigger image set. In: Proceedings of International Conference on Knowledge Science, Engineering and Management (KSEM), 2021. 280\u2013293"},{"key":"4388_CR417","first-page":"35","volume-title":"Proceedings of International Symposium on Symbolic Computation in Software Science (SCSS)","author":"A N Docena","year":"2021","unstructured":"Docena A N, Wahl T, Pearce T, et al. Sensitive samples revisited: detecting neural network attacks using constraint solvers. In: Proceedings of International Symposium on Symbolic Computation in Software Science (SCSS), 2021. 35\u201348"},{"key":"4388_CR418","doi-asserted-by":"publisher","first-page":"108238","DOI":"10.1016\/j.knosys.2022.108238","volume":"241","author":"D P Kuttichira","year":"2022","unstructured":"Kuttichira D P, Gupta S, Nguyen D, et al. Verification of integrity of deployed deep learning models using Bayesian optimization. Knowledge-Based Syst, 2022, 241: 108238","journal-title":"Knowledge-Based Syst"},{"key":"4388_CR419","first-page":"19","volume-title":"Proceedings of ACM\/IEEE Design Automation Conference (DAC)","author":"O Aramoon","year":"2021","unstructured":"Aramoon O, Chen P Y, Qu G. AID: attesting the integrity of deep neural networks. In: Proceedings of ACM\/IEEE Design Automation Conference (DAC), 2021. 19\u201324"},{"key":"4388_CR420","first-page":"54402","volume-title":"Proceedings of International Conference on Machine Learning (ICML)","author":"X Bai","year":"2024","unstructured":"Bai X, He C, Ma X, et al. Intersecting-boundary-sensitive fingerprinting for tampering detection of DNN models. In: Proceedings of International Conference on Machine Learning (ICML), 2024. 54402\u201354413"},{"key":"4388_CR421","first-page":"1239","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Wang","year":"2022","unstructured":"Wang S, Abuadbba S, Agarwal S, et al. PublicCheck: public integrity verification for services of run-time deep models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2022. 1239\u20131256"},{"key":"4388_CR422","first-page":"9875","volume-title":"Proceedings of International Conference on Multimedia Retrieval (ICMR)","author":"C He","year":"2024","unstructured":"He C, Bai X, Ma X, et al. Towards stricter black-box integrity verification of deep neural network models. In: Proceedings of International Conference on Multimedia Retrieval (ICMR), 2024. 9875\u20139884"},{"key":"4388_CR423","first-page":"2534","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"B Wu","year":"2024","unstructured":"Wu B, Yuan X, Wang S, et al. Securing graph neural networks in MLaaS: a comprehensive realization of query-based integrity verification. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2534\u20132552"},{"key":"4388_CR424","first-page":"101","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Li","year":"2020","unstructured":"Li Y, Li M, Luo B, et al. DeepDyve: dynamic verification for deep neural networks. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020. 101\u2013112"},{"key":"4388_CR425","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1145\/3007787.3001165","volume":"44","author":"B Reagen","year":"2016","unstructured":"Reagen B, Whatmough P, Adolf R, et al. Minerva: enabling low-power, highly-accurate deep neural network accelerators. SIGARCH Comput Archit News, 2016, 44: 267\u2013278","journal-title":"SIGARCH Comput Archit News"},{"key":"4388_CR426","first-page":"13","volume-title":"Proceedings of International Symposium on Computer Architecture (ISCA)","author":"S Venkataramani","year":"2017","unstructured":"Venkataramani S, Ranjan A, Banerjee S, et al. SCALEDEEP: a scalable compute architecture for learning and evaluating deep networks. In: Proceedings of International Symposium on Computer Architecture (ISCA), 2017. 13\u201326"},{"key":"4388_CR427","first-page":"2329","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"J Wang","year":"2023","unstructured":"Wang J, Zhang Z, Wang M, et al. Aegis: mitigating targeted bit-flip attacks against deep neural networks. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 2329\u20132346"},{"key":"4388_CR428","first-page":"990","volume-title":"Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS)","author":"A Guesmi","year":"2021","unstructured":"Guesmi A, Alouani I, Khasawneh K N, et al. Defensive approximation: securing cnns using approximate computing. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2021. 990\u20131003"},{"key":"4388_CR429","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"W Xu","year":"2018","unstructured":"Xu W, Evans D, Qi Y. Feature squeezing: detecting adversarial examples in deep neural networks. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2018"},{"key":"4388_CR430","unstructured":"Grosse K, Manoharan P, Papernot N, et al. On the (statistical) detection of adversarial examples. 2017. ArXiv:1702.06280"},{"key":"4388_CR431","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"I J Goodfellow","year":"2015","unstructured":"Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proceedings of International Conference on Learning Representations (ICLR), 2015"},{"key":"4388_CR432","first-page":"372","volume-title":"Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P)","author":"N Papernot","year":"2016","unstructured":"Papernot N, McDaniel P D, Jha S, et al. The limitations of deep learning in adversarial settings. In: Proceedings of IEEE European Symposium on Security and Privacy (Euro S&P), 2016. 372\u2013387"},{"key":"4388_CR433","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"J H Metzen","year":"2017","unstructured":"Metzen J H, Genewein T, Fischer V, et al. On detecting adversarial perturbations. In: Proceedings of International Conference on Learning Representations (ICLR), 2017"},{"key":"4388_CR434","first-page":"1","volume-title":"Proceedings of IEEE Conference on Computer Communications (INFOCOM)","author":"F Li","year":"2021","unstructured":"Li F, Liu X, Zhang X, et al. Detecting localized adversarial examples: a generic approach using critical region analysis. In: Proceedings of IEEE Conference on Computer Communications (INFOCOM), 2021. 1\u201310"},{"key":"4388_CR435","unstructured":"Chou E, Tram\u00e8r F, Pellegrino G, et al. SentiNet: detecting physical attacks against deep learning systems. 2018. ArXiv:1812.00292"},{"key":"4388_CR436","doi-asserted-by":"crossref","unstructured":"Lu J, Issaranon T, Forsyth D A. SafetyNet: detecting and rejecting adversarial examples robustly. 2017. ArXiv:1704.00103","DOI":"10.1109\/ICCV.2017.56"},{"key":"4388_CR437","first-page":"4584","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"T Pang","year":"2018","unstructured":"Pang T, Du C, Dong Y, et al. Towards robust detection of adversarial examples. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2018. 4584\u20134594"},{"key":"4388_CR438","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"A Kurakin","year":"2017","unstructured":"Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world. In: Proceedings of International Conference on Learning Representations (ICLR), 2017"},{"key":"4388_CR439","first-page":"39","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"N Carlini","year":"2017","unstructured":"Carlini N, Wagner D A. Towards evaluating the robustness of neural networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2017. 39\u201357"},{"key":"4388_CR440","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1016\/j.future.2020.04.013","volume":"110","author":"M Pawlicki","year":"2020","unstructured":"Pawlicki M, Chora\u015b M, Kozik R. Defending network intrusion detection systems against adversarial evasion attacks. Future Generation Comput Syst, 2020, 110: 148\u2013154","journal-title":"Future Generation Comput Syst"},{"key":"4388_CR441","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"A Madry","year":"2018","unstructured":"Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks. In: Proceedings of International Conference on Learning Representations (ICLR), 2018"},{"key":"4388_CR442","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"G Tao","year":"2021","unstructured":"Tao G, Chen X, Jia Y, et al. FIRM: detecting adversarial audios by re-cursive filters with randomization. In: Proceedings of International Conference on Learning Representations (ICLR), 2021"},{"key":"4388_CR443","first-page":"617","volume-title":"Proceedings of International Conference on Machine Learning and Applications (ICMLA)","author":"J V Tuinen","year":"2022","unstructured":"Tuinen J V, Ranganath A, Konjevod G, et al. Novel adversarial defense techniques for white-box attacks. In: Proceedings of International Conference on Machine Learning and Applications (ICMLA), 2022. 617\u2013622"},{"key":"4388_CR444","unstructured":"Lin Z, Pfister H, Zhang Z. White-box adversarial defense via self-supervised data estimation. 2019. ArXiv:1909.06271"},{"key":"4388_CR445","doi-asserted-by":"publisher","first-page":"2147","DOI":"10.1109\/TIFS.2019.2956591","volume":"15","author":"M Esmaeilpour","year":"2020","unstructured":"Esmaeilpour M, Cardinal P, Koerich A L. A robust approach for securing audio classification against adversarial attacks. IEEE Trans Inform Forensic Secur, 2020, 15: 2147\u20132159","journal-title":"IEEE Trans Inform Forensic Secur"},{"key":"4388_CR446","first-page":"4787","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"J Zhang","year":"2023","unstructured":"Zhang J, Chen Z, Zhang H, et al. DiffSmooth: certifiably robust learning via diffusion models and local smoothing. In: Proceedings of USENIX Security Symposium (USENIX Security), 2023. 4787\u20134804"},{"key":"4388_CR447","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"N Carlini","year":"2023","unstructured":"Carlini N, Tram\u00e8r F, Dvijotham K D, et al. (Certified!!) adversarial robustness for free! In: Proceedings of International Conference on Learning Representations (ICLR), 2023"},{"key":"4388_CR448","unstructured":"Xiao C, Chen Z, Jin K, et al. DensePure: understanding diffusion models towards adversarial robustness. 2022. ArXiv:2211.00322"},{"key":"4388_CR449","unstructured":"Rosenberg I, Shabtai A, Elovici Y, et al. Defense methods against adversarial examples for recurrent neural networks. 2019. ArXiv:1901.09963"},{"key":"4388_CR450","doi-asserted-by":"publisher","first-page":"3753","DOI":"10.1109\/TDSC.2022.3210029","volume":"20","author":"G Apruzzese","year":"2023","unstructured":"Apruzzese G, Subrahmanian V S. Mitigating adversarial gray-box attacks against phishing detectors. IEEE Trans Dependable Secure Comput, 2023, 20: 3753\u20133769","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"4388_CR451","doi-asserted-by":"crossref","unstructured":"Wu H, Liu A T, Lee H. Defense for black-box attacks on anti-spoofing models by self-supervised learning. 2020. ArXiv:2006.03214","DOI":"10.21437\/Interspeech.2020-2026"},{"key":"4388_CR452","first-page":"3015","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"Z Zhou","year":"2024","unstructured":"Zhou Z, Li M, Liu W, et al. Securely fine-tuning pre-trained encoders against adversarial examples. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 3015\u20133033"},{"key":"4388_CR453","first-page":"2083","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"P Vaishnavi","year":"2022","unstructured":"Vaishnavi P, Eykholt K, Rahmati A. Transferring adversarial robustness through robust representation matching. In: Proceedings of USENIX Security Symposium (USENIX Security), 2022. 2083\u20132098"},{"key":"4388_CR454","first-page":"477","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Y Chen","year":"2021","unstructured":"Chen Y, Wang S, Qin Y, et al. Learning security classifiers with verified global robustness properties. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 477\u2013494"},{"key":"4388_CR455","first-page":"3996","volume-title":"Proceedings of the 34th AAAI Conference on Artificial Intelligence, the 32nd Innovative Applications of Artificial Intelligence Conference, the 10th AAAI Symposium on Educational Advances in Artificial Intelligence, New York","author":"M Goldblum","year":"2020","unstructured":"Goldblum M, Fowl L, Feizi S, et al. Adversarially robust distillation. In: Proceedings of the 34th AAAI Conference on Artificial Intelligence, the 32nd Innovative Applications of Artificial Intelligence Conference, the 10th AAAI Symposium on Educational Advances in Artificial Intelligence, New York, 2020. 3996\u20134003"},{"key":"4388_CR456","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"S Shao","year":"2025","unstructured":"Shao S, Li Y, Yao H, et al. Explanation as a watermark: towards harmless and multi-bit model ownership verification via watermarking feature attribution. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR457","first-page":"1937","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"H Jia","year":"2021","unstructured":"Jia H, Choquette-Choo C A, Chandrasekaran V, et al. Entangled watermarks as a defense against model extraction. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 1937\u20131954"},{"key":"4388_CR458","first-page":"99","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"P Lv","year":"2024","unstructured":"Lv P, Ma H, Chen K, et al. Mea-Defender: a robust watermark against model extraction attack. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 99\u201399"},{"key":"4388_CR459","first-page":"121","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"S Abdelnabi","year":"2021","unstructured":"Abdelnabi S, Fritz M. Adversarial watermarking transformer: towards tracing text provenance with data hiding. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 121\u2013140"},{"key":"4388_CR460","first-page":"5269","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"T Krau\u00df","year":"2024","unstructured":"Krau\u00df T, Stang J, Dmitrienko A. ClearStamp: a human-visible and robust model-ownership proof based on transposed model training. In: Proceedings of USENIX Security Symposium (USENIX Security), 2024. 5269\u20135286"},{"key":"4388_CR461","first-page":"579","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"T Cong","year":"2022","unstructured":"Cong T, He X, Zhang Y. SSLGuard: a watermarking scheme for self-supervised learning pre-trained encoders. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022. 579\u2013593"},{"key":"4388_CR462","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"P Lv","year":"2024","unstructured":"Lv P, Li P, Zhu S, et al. SSL-WM: a black-box watermarking approach for encoders pre-trained by self-supervised learning. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR463","first-page":"1615","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security)","author":"Y Adi","year":"2018","unstructured":"Adi Y, Baum C, Cisse M, et al. Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: Proceedings of USENIX Security Symposium (USENIX Security), 2018. 1615\u20131631"},{"key":"4388_CR464","first-page":"1039","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Jia","year":"2021","unstructured":"Jia H, Yaghini M, Choquette-Choo C A, et al. Proof-of-learning: definitions and practice. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2021. 1039\u20131056"},{"key":"4388_CR465","first-page":"1880","volume-title":"Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"S Garg","year":"2023","unstructured":"Garg S, Goel A, Jha S, et al. Experimenting with zero-knowledge proofs of training. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023. 1880\u20131894"},{"key":"4388_CR466","doi-asserted-by":"publisher","first-page":"2645","DOI":"10.1109\/TDSC.2023.3315064","volume":"21","author":"H Yao","year":"2024","unstructured":"Yao H, Li Z, Huang K, et al. RemovalNet: DNN fingerprint removal attacks. IEEE Trans Dependable Secure Comput, 2024, 21: 2645\u20132658","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"4388_CR467","first-page":"14","volume-title":"Proceedings of ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"X Cao","year":"2021","unstructured":"Cao X, Jia J, Gong N Z. IPGuard: protecting intellectual property of deep neural networks via fingerprinting the classification boundary. In: Proceedings of ACM Asia Conference on Computer and Communications Security (ASIACCS), 2021. 14\u201325"},{"key":"4388_CR468","first-page":"2460","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"A Waheed","year":"2024","unstructured":"Waheed A, Duddu V, Asokan N. GROVE: ownership verification of graph neural networks using embeddings. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2460\u20132477"},{"key":"4388_CR469","first-page":"1","volume-title":"Proceedings of IEEE International Symposium on Biomedical Imaging (ISBI)","author":"Y Yang","year":"2023","unstructured":"Yang Y, Yang J, He J, et al. FDINet: feature-decomposition-interaction networks for retinal vessel segmentation. In: Proceedings of IEEE International Symposium on Biomedical Imaging (ISBI), 2023. 1\u20135"},{"key":"4388_CR470","unstructured":"Alon G, Kamfonas M. Detecting language model attacks with perplexity. 2023. ArXiv:2308.14132"},{"key":"4388_CR471","doi-asserted-by":"crossref","unstructured":"Pi R, Han T, Zhang J, et al. MLLM-Protector: ensuring MLLM\u2019s safety without hurting performance. 2024. ArXiv:2401.02906","DOI":"10.18653\/v1\/2024.emnlp-main.895"},{"key":"4388_CR472","unstructured":"Jain N, Schwarzschild A, Wen Y, et al. Baseline defenses for adversarial attacks against aligned language models. 2023. ArXiv:2309.00614"},{"key":"4388_CR473","first-page":"2920","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"X Zhang","year":"2024","unstructured":"Zhang X, Hong H, Hong Y, et al. Text-CRS: a generalized certified robustness framework against textual adversarial attacks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2920\u20132938"},{"key":"4388_CR474","first-page":"386","volume-title":"Proceedings of European Conference on Computer Vision (ECCV)","author":"X Liu","year":"2025","unstructured":"Liu X, Zhu Y, Gu J, et al. MM-SafetyBench: a benchmark for safety evaluation of multimodal large language models. In: Proceedings of European Conference on Computer Vision (ECCV), 2025. 386\u2013403"},{"key":"4388_CR475","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"L Shen","year":"2024","unstructured":"Shen L, Pu Y, Ji S, et al. Improving the robustness of transformer-based large language models with dynamic attention. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2024"},{"key":"4388_CR476","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Y Pang","year":"2025","unstructured":"Pang Y, Xiong A, Zhang Y, et al. Towards understanding unsafe video generation. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR477","unstructured":"Bai Y, Jones A, Ndousse K, et al. Training a helpful and harmless assistant with reinforcement learning from human feedback. 2022. ArXiv:2204.05862"},{"key":"4388_CR478","first-page":"53728","volume-title":"Proceedings of Advances in Neural Information Processing Systems","author":"R Rafailov","year":"2024","unstructured":"Rafailov R, Sharma A, Mitchell E, et al. Direct preference optimization: your language model is secretly a reward model. In: Proceedings of Advances in Neural Information Processing Systems, 2024. 53728\u201353741"},{"key":"4388_CR479","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"M Khanov","year":"2024","unstructured":"Khanov M, Burapacheep J, Li Y. ARGS: alignment as reward-guided search. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR480","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"K Chen","year":"2024","unstructured":"Chen K, Wang C, Yang K, et al. Gaining wisdom from setbacks: aligning large language models via mistake analysis. In: Proceedings of International Conference on Learning Representations (ICLR), 2024"},{"key":"4388_CR481","unstructured":"Liu Y, Sun Z, He X, et al. Quantized delta weight is safety keeper. 2024. ArXiv:2411.19530"},{"key":"4388_CR482","first-page":"13579","volume-title":"Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS)","author":"J Liu","year":"2024","unstructured":"Liu J, Xiao G, Li K, et al. BitDelta: your fine-tune may only be worth one bit. In: Proceedings of Annual Conference on Neural Information Processing Systems (NeurIPS), 2024. 13579\u201313600"},{"key":"4388_CR483","volume-title":"Proceedings of International Conference on Learning Representations (ICLR)","author":"M Li","year":"2025","unstructured":"Li M, Si W M, Backes M, et al. SaloRA: safety-alignment preserved low-rank adaptation. In: Proceedings of International Conference on Learning Representations (ICLR), 2025"},{"key":"4388_CR484","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS)","author":"Y Gong","year":"2025","unstructured":"Gong Y, Ran D, He X, et al. Safety misalignment against large language models. In: Proceedings of Network and Distributed System Security Symposium (NDSS), 2025"},{"key":"4388_CR485","first-page":"845","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"H Yao","year":"2024","unstructured":"Yao H, Lou J, Qin Z, et al. PromptCARE: prompt copyright protection by watermark injection and verification. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 845\u2013861"},{"key":"4388_CR486","unstructured":"Zhang J, Ma X, Wang X, et al. Adversarial prompt tuning for vision-language models. 2023. ArXiv:2311.11261"},{"key":"4388_CR487","first-page":"2553","volume-title":"Proceedings of IEEE Symposium on Security and Privacy (S&P)","author":"J Deng","year":"2024","unstructured":"Deng J, Pang S, Chen Y, et al. SOPHON: non-fine-tunable learning to restrain task transferability for pre-trained models. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2024. 2553\u20132571"},{"key":"4388_CR488","first-page":"14138","volume-title":"Proceedings of Annual Meeting of the Association for Computational Linguistics (ACL)","author":"R Bhardwaj","year":"2024","unstructured":"Bhardwaj R, Anh D D, Poria S. Language models are homer simpson! Safety re-alignment of fine-tuned language models through task arithmetic. In: Proceedings of Annual Meeting of the Association for Computational Linguistics (ACL), 2024. 14138\u201314149"}],"container-title":["Science China Information Sciences"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11432-025-4388-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11432-025-4388-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11432-025-4388-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,5]],"date-time":"2025-07-05T12:04:14Z","timestamp":1751717054000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11432-025-4388-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,3]]},"references-count":488,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2025,8]]}},"alternative-id":["4388"],"URL":"https:\/\/doi.org\/10.1007\/s11432-025-4388-5","relation":{},"ISSN":["1674-733X","1869-1919"],"issn-type":[{"value":"1674-733X","type":"print"},{"value":"1869-1919","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,3]]},"assertion":[{"value":"20 January 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 April 2025","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 April 2025","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 July 2025","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"181101"}}