{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T11:19:40Z","timestamp":1771931980363,"version":"3.50.1"},"reference-count":109,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T00:00:00Z","timestamp":1771891200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T00:00:00Z","timestamp":1771891200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"DOI":"10.1007\/s42979-025-04658-y","type":"journal-article","created":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T10:31:47Z","timestamp":1771929107000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Fortifying AI Systems: Emerging Threats and Security Countermeasures"],"prefix":"10.1007","volume":"7","author":[{"given":"Habibur","family":"Rahaman","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Atri","family":"Chatterjee","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Swarup","family":"Bhunia","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,2,24]]},"reference":[{"issue":"1","key":"4658_CR1","doi-asserted-by":"publisher","first-page":"4907754","DOI":"10.1155\/2021\/4907754","volume":"2021","author":"Z Kong","year":"2021","unstructured":"Kong Z, Xue J, Wang Y, Huang L, Niu Z, Li F. A survey on adversarial attack in the age of artificial intelligence. Wirel Commun Mob Comput. 2021;2021(1):4907754.","journal-title":"Wirel Commun Mob Comput"},{"key":"4658_CR2","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli S-M, Fawzi A, Frossard P. Deepfool: a simple and accurate method to fool deep neural networks. In: IEEE Conference on Computer Vision and Pattern Recognition, 2016; pp. 2574\u20132582.","DOI":"10.1109\/CVPR.2016.282"},{"key":"4658_CR3","unstructured":"Gu T, Dolan-Gavitt B, Garg S. Badnets: identifying vulnerabilities in the machine learning model supply chain. 2017. arXiv preprint arXiv:1708.06733."},{"key":"4658_CR4","unstructured":"Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. 2014. arXiv preprint arXiv:1412.6572."},{"key":"4658_CR5","unstructured":"Zou A, Wang Z, Carlini N, Nasr M, Kolter JZ, Fredrikson M. Universal and transferable adversarial attacks on aligned language models. 2023. arXiv preprint arXiv:2307.15043."},{"issue":"4","key":"4658_CR6","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3605212","volume":"26","author":"X Gong","year":"2023","unstructured":"Gong X, Chen Y, Yang W, Huang H, Wang Q. B3: backdoor attacks against black-box machine learning models. ACM Trans Privacy Secur. 2023;26(4):1\u201324.","journal-title":"ACM Trans Privacy Secur"},{"issue":"8","key":"4658_CR7","doi-asserted-by":"publisher","first-page":"1283","DOI":"10.3390\/electronics11081283","volume":"11","author":"H Liang","year":"2022","unstructured":"Liang H, He E, Zhao Y, Jia Z, Li H. Adversarial attack and defense: a survey. Electronics. 2022;11(8):1283.","journal-title":"Electronics"},{"key":"4658_CR8","doi-asserted-by":"crossref","unstructured":"Rahman MM, Arshi AS, Hasan MM, Mishu SF, Shahriar H, Wu F. Security risk and attacks in ai: a survey of security and privacy. In: IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC), 2023; p. 1834\u20131839. IEEE.","DOI":"10.1109\/COMPSAC57700.2023.00284"},{"issue":"1","key":"4658_CR9","first-page":"1","volume":"2024","author":"A Paracha","year":"2024","unstructured":"Paracha A, Arshad J, Farah MB, Ismail K. Machine learning security and privacy: a review of threats and countermeasures. EURASIP J Inf Secur. 2024;2024(1):1\u201323.","journal-title":"EURASIP J Inf Secur"},{"key":"4658_CR10","doi-asserted-by":"crossref","unstructured":"Rahaman H, Chatterjee A, Bhunia S. Secure ai systems: emerging threats and defense mechanisms. In: 2024 IEEE 33rd Asian Test Symposium (ATS), 2024; pp. 1\u20136. IEEE.","DOI":"10.1109\/ATS64447.2024.10915428"},{"issue":"2","key":"4658_CR11","doi-asserted-by":"publisher","first-page":"225","DOI":"10.1016\/j.dcan.2021.07.009","volume":"8","author":"C Wang","year":"2022","unstructured":"Wang C, Chen J, Yang Y, Ma X, Liu J. Poisoning attacks and countermeasures in intelligent networks: status quo and prospects. Digit Commun Netw. 2022;8(2):225\u201334.","journal-title":"Digit Commun Netw"},{"key":"4658_CR12","unstructured":"Fang M, Cao X, Jia J, Gong N. Local model poisoning attacks to $$\\{$$Byzantine-Robust$$\\}$$ federated learning. In: 29th USENIX Security Symposium (USENIX Security 20), 2020; pp. 1605\u20131622."},{"key":"4658_CR13","doi-asserted-by":"crossref","unstructured":"Jagielski M, Oprea A, Biggio B, Liu C, Nita-Rotaru C, Li B. Manipulating machine learning: Poisoning attacks and countermeasures for regression learning. In: IEEE Symposium on Security and Privacy (SP), 2018; pp. 19\u201335. IEEE.","DOI":"10.1109\/SP.2018.00057"},{"key":"4658_CR14","unstructured":"Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y. Generative adversarial nets. In: Advances in neural information processing systems. 2014;27."},{"key":"4658_CR15","doi-asserted-by":"crossref","unstructured":"Kurita K, Michel P, Neubig G. Weight poisoning attacks on pre-trained models. 2020. arXiv preprint arXiv:2004.06660.","DOI":"10.18653\/v1\/2020.acl-main.249"},{"key":"4658_CR16","unstructured":"Steinhardt J, Koh P.W, Liang P. Certified defenses for data poisoning attacks. In: Advances in Neural Information Processing Systems (NeurIPS). 2017."},{"key":"4658_CR17","unstructured":"Tran B, Li J, Madry A. Spectral signatures in backdoor attacks. In: Advances in Neural Information Processing Systems (NeurIPS). 2018."},{"key":"4658_CR18","unstructured":"Jia J, Cao X, Gong N.Z. Certified robustness to data poisoning attacks via randomized smoothing. In: IEEE Symposium on Security and Privacy (SP). 2020."},{"key":"4658_CR19","doi-asserted-by":"crossref","unstructured":"Mahloujifar S, Diochnos D.I, Mahmoody M. The curse of concentration in robust learning: Evasion and poisoning attacks from concentration. In: AAAI Conference on Artificial Intelligence. 2019.","DOI":"10.1609\/aaai.v33i01.33014536"},{"key":"4658_CR20","unstructured":"Blanchard P, El\u00a0Mhamdi E.M, Guerraoui R, Stainer J. Machine learning with adversaries: Byzantine tolerant gradient descent. In: Advances in Neural Information Processing Systems (NeurIPS). 2017."},{"key":"4658_CR21","unstructured":"Yin D, Chen Y, Ramchandran K, Bartlett P. Byzantine-robust distributed learning: Towards optimal statistical rates. In: International Conference on Machine Learning (ICML). 2018."},{"key":"4658_CR22","doi-asserted-by":"crossref","unstructured":"Chen B, Carvalho W, Baracaldo N, Ludwig H, Edwards B, Lee T, Molloy I, Srivastava B. Deepinspect: A black-box trojan detection and mitigation framework for deep neural networks. In: AAAI Conference on Artificial Intelligence. 2019.","DOI":"10.24963\/ijcai.2019\/647"},{"key":"4658_CR23","doi-asserted-by":"crossref","unstructured":"Doan B.G, Abbasnejad E, Ranasinghe D.C. Februus: Input purification defense against trojan attacks on deep neural network systems. In: 36th Annual Computer Security Applications Conference, 2020; pp. 897\u2013912.","DOI":"10.1145\/3427228.3427264"},{"key":"4658_CR24","doi-asserted-by":"crossref","unstructured":"Mengara O, Avila A, Falk T.H. Backdoor attacks to deep neural networks: A survey of the literature, challenges, and future research directions. IEEE Access. 2024.","DOI":"10.1109\/ACCESS.2024.3355816"},{"key":"4658_CR25","doi-asserted-by":"crossref","unstructured":"Liu Y, Ma S, Aafer Y, Lee W-C, Zhai J, Wang W, Zhang X. Trojaning attack on neural networks. In: 25th Annual Network And Distributed System Security Symposium (NDSS 2018) 2018. Internet Soc. 2018.","DOI":"10.14722\/ndss.2018.23291"},{"key":"4658_CR26","doi-asserted-by":"publisher","unstructured":"Wang B, Yao Y, Shan S, Bhojanapalli S, Gao Y, al. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP) 2019. https:\/\/doi.org\/10.1109\/SP.2019.00031 .","DOI":"10.1109\/SP.2019.00031"},{"key":"4658_CR27","unstructured":"Li H, Kadav A, Durdanovic I, Samet H, Graf H.P. Pruning filters for efficient convnets. In: International Conference on Learning Representations (ICLR) Workshop Track 2017. arXiv:1608.08710"},{"key":"4658_CR28","unstructured":"Han S, Mao H, Dally W.J. Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding. In: International Conference on Learning Representations (ICLR) Workshop Track 2016. arXiv:1510.00149"},{"key":"4658_CR29","unstructured":"McMahan B, Moore E, Ramage D, Hampson S, Arcas B.A. Communication-efficient learning of deep networks from decentralized data. In: Proceedings of AISTATS. 2017."},{"key":"4658_CR30","unstructured":"Lee Y, Chen K, Meng G, Lv P, et al.: Aliasing backdoor attacks on pre-trained models. In: 32nd USENIX Security Symposium (USENIX Security 23), 2023; pp. 2707\u20132724."},{"key":"4658_CR31","doi-asserted-by":"crossref","unstructured":"Xu K, Zhang Y, Cheng S, Lyu L, Yang Y, Xia S. Detecting ai trojans using meta neural analysis. In: IEEE Symposium on Security and Privacy (SP), 2019; pp. 103\u2013120.","DOI":"10.1109\/SP40001.2021.00034"},{"key":"4658_CR32","doi-asserted-by":"crossref","unstructured":"Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: Defending against backdooring attacks on deep neural networks. In: International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 2018; pp. 273\u2013294.","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"4658_CR33","unstructured":"Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations (ICLR). 2018."},{"key":"4658_CR34","doi-asserted-by":"crossref","unstructured":"Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (SP), 2017; pp. 39\u201357.","DOI":"10.1109\/SP.2017.49"},{"key":"4658_CR35","unstructured":"Raghunathan A, Steinhardt J, Liang P. Certified defenses against adversarial examples. In: International Conference on Learning Representations (ICLR). 2018."},{"key":"4658_CR36","unstructured":"Li W, Liu B, Ma S. Model integrity verification for deep learning systems. 2020. arXiv preprint arXiv:2008.08308."},{"key":"4658_CR37","unstructured":"Chen Y, Ouyang J, Zhao Y. Deepattest: An end-to-end attestation framework for deep neural networks. In: USENIX Security Symposium, 2021; pp. 117\u2013134."},{"key":"4658_CR38","unstructured":"T.Silva: An intuitive introduction to generative adversarial networks. 2018. https:\/\/medium freecodecamp.org\/an-intuitive-introduction-to-generative-adversarial-networks-gans-7a2264a81394."},{"key":"4658_CR39","unstructured":"Radford A, Metz L, Chintala S. Unsupervised representation learning with deep convolutional generative adversarial networks. In: arXiv Preprint. 2015. arXiv:1511.06434."},{"key":"4658_CR40","unstructured":"Arjovsky M, Bottou L. Towards principled methods for training generative adversarial networks. In: International Conference on Learning Representations (ICLR). 2017."},{"key":"4658_CR41","unstructured":"Zhao Z, Dua D, Singh S. Generating natural adversarial examples. In: International Conference on Learning Representations (ICLR). 2018."},{"key":"4658_CR42","doi-asserted-by":"crossref","unstructured":"Xu W, Evans D, Qi Y. Feature squeezing: Detecting adversarial examples in deep neural networks. In: Network and Distributed System Security Symposium (NDSS). 2018.","DOI":"10.14722\/ndss.2018.23198"},{"key":"4658_CR43","unstructured":"Guo C, Rana M, Cisse M, Maaten L. Countering adversarial images using input transformations. In: International Conference on Learning Representations (ICLR). 2018."},{"key":"4658_CR44","doi-asserted-by":"crossref","unstructured":"Ross A.S, Doshi-Velez F. Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: AAAI Conference on Artificial Intelligence. 2018.","DOI":"10.1609\/aaai.v32i1.11504"},{"key":"4658_CR45","unstructured":"Athalye A, Carlini N, Wagner D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: International Conference on Machine Learning (ICML). 2018."},{"key":"4658_CR46","doi-asserted-by":"crossref","unstructured":"Rakin A, He Z, Fan D. Bit-flip attack: Crushing neural network with progressive bit search. In: IEEE\/CVF International Conference on Computer Vision, 2019; pp. 1211\u20131220.","DOI":"10.1109\/ICCV.2019.00130"},{"key":"4658_CR47","unstructured":"Wang J, Zhang Z, Wang M, Qiu H, Zhang T, Li Q, Li Z, Wei T, Zhang C. Aegis: Mitigating targeted bit-flip attacks against deep neural networks. In: 32nd USENIX Security Symposium (USENIX Security 23), 2023; pp. 2329\u20132346."},{"key":"4658_CR48","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1109\/JPROC.2012.2188769","volume":"100","author":"A Barenghi","year":"2012","unstructured":"Barenghi A, Breveglieri L, Koren I, Naccache D. Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures. Proc IEEE. 2012;100:305\u201319.","journal-title":"Proc IEEE"},{"key":"4658_CR49","unstructured":"Ravichandran K, et al. Software-based fault detection and recovery techniques. In: International Conference on Dependable Systems and Networks. 2014."},{"key":"4658_CR50","unstructured":"Yuce E., et al.: Fault-tolerant design in vlsi circuits. Microelectron J. 2007."},{"key":"4658_CR51","unstructured":"Qu L, et al. Temporal and spatial randomization for fault injection protection. In: Design Automation Conference. 2005."},{"key":"4658_CR52","unstructured":"Gao Y, et al. Countermeasures against fault injection attacks in embedded systems. J Hardw Syst Secur. 2018."},{"key":"4658_CR53","unstructured":"Brier E, Clavier C, Olivier F. Fault attacks on cryptographic devices: Detection and prevention. In: International Workshop on Cryptographic Hardware and Embedded Systems. 2004."},{"key":"4658_CR54","unstructured":"Kundu S, Das S, Karmakar S, Raha A, Kundu S, Makris Y, Basu K. Bit-by-bit: Investigating the vulnerabilities of binary neural networks to adversarial bit flipping. Trans Mach Learn Res. 2024."},{"key":"4658_CR55","doi-asserted-by":"crossref","unstructured":"Li J, Rakin A.S, Xiong Y, Chang L, He Z, Fan D, Chakrabarti C. Defending bit-flip attack through dnn weight reconstruction. In: 57th ACM\/IEEE DAC, 2020; pp. 1\u20136. IEEE.","DOI":"10.1109\/DAC18072.2020.9218665"},{"key":"4658_CR56","doi-asserted-by":"crossref","unstructured":"Rakin A.S, He Z, Fan D. Bit-flip attack: Crushing neural network with progressive bit search. 2019. arXiv preprint arXiv:1903.12269.","DOI":"10.1109\/ICCV.2019.00130"},{"key":"4658_CR57","unstructured":"Raji M, Zaree M, Soroush K. Spw: An ecc-based fault tolerance approach for dnns. 2025. arXiv preprint arXiv:2508.12347."},{"key":"4658_CR58","doi-asserted-by":"crossref","unstructured":"Zhou R., et al.: Compromising the intelligence of modern dnns: On the effectiveness of targeted rowpress. 2024. arXiv preprint arXiv:2412.02156.","DOI":"10.23919\/DATE64628.2025.10993193"},{"issue":"4","key":"4658_CR59","doi-asserted-by":"publisher","first-page":"853","DOI":"10.3390\/electronics12040853","volume":"12","author":"M Qian","year":"2023","unstructured":"Qian M, Zhang W, Nie J, Lu W, Cao J. A survey of bit-flip attacks on deep neural network and corresponding defense methods. Electronics. 2023;12(4):853.","journal-title":"Electronics"},{"key":"4658_CR60","unstructured":"Upadhyaya P, Yu X, Mink J, Cordero J, Parmar P, Jiang A. Error correction for hardware-implemented deep neural networks. In: Non-Volatile Memories Workshop. 2019."},{"key":"4658_CR61","doi-asserted-by":"crossref","unstructured":"Ghavami B, et al. A semi black-box adversarial bit-flip attack with limited dnn model information. 2024. arXiv preprint arXiv:2412.09450.","DOI":"10.1109\/ICCD63220.2024.00025"},{"key":"4658_CR62","unstructured":"Bnn-flip: Enhancing the fault tolerance and security of compute-in-memory enabled binary neural network accelerators. In: ASPDAC. 2024."},{"key":"4658_CR63","doi-asserted-by":"crossref","unstructured":"Chen Y, et al. Bitshield: Defending against bit-flip attacks on dnn executables. In: NDSS Symposium 2024.","DOI":"10.14722\/ndss.2025.241463"},{"key":"4658_CR64","unstructured":"Li S, et al. Yes, one-bit-flip matters! universal dnn model inference depletion with runtime code fault injection. In: USENIX Security Symposium 2024."},{"key":"4658_CR65","doi-asserted-by":"crossref","unstructured":"Biggio B, Roli F. Wild patterns: Ten years after the rise of adversarial machine learning. In: ACM SIGSAC Conference on Computer and Communications Security, 2018; pp. 2154\u20132156.","DOI":"10.1145\/3243734.3264418"},{"key":"4658_CR66","unstructured":"Nafi A.A.N, Rahaman H, Haider Z, Mahfuz T, Suya F, Bhunia S, Chakraborty P. Dash: A meta-attack framework for synthesizing effective and stealthy adversarial examples. 2025. arXiv preprint arXiv:2508.13309."},{"key":"4658_CR67","unstructured":"Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R. Intriguing properties of neural networks. 2013. arXiv preprint arXiv:1312.6199."},{"key":"4658_CR68","doi-asserted-by":"crossref","unstructured":"Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 2016; pp. 372\u2013387. IEEE.","DOI":"10.1109\/EuroSP.2016.36"},{"issue":"5","key":"4658_CR69","doi-asserted-by":"publisher","first-page":"828","DOI":"10.1109\/TEVC.2019.2890858","volume":"23","author":"J Su","year":"2019","unstructured":"Su J, Vargas DV, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Trans Evol Comput. 2019;23(5):828\u201341.","journal-title":"IEEE Trans Evol Comput"},{"key":"4658_CR70","doi-asserted-by":"crossref","unstructured":"Xiao C, Li B, Zhu J-Y, He W, Liu M, Song D. Generating adversarial examples with adversarial networks. 2018. arXiv preprint arXiv:1801.02610.","DOI":"10.24963\/ijcai.2018\/543"},{"key":"4658_CR71","unstructured":"Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. 2017. arXiv preprint arXiv:1706.06083."},{"key":"4658_CR72","doi-asserted-by":"crossref","unstructured":"Andriushchenko M, Croce F, Flammarion N, Hein M. Square attack: a query-efficient black-box adversarial attack via random search. In: European Conference on Computer Vision, 2020; pp. 484\u2013501. Springer.","DOI":"10.1007\/978-3-030-58592-1_29"},{"key":"4658_CR73","unstructured":"Ilyas A, Engstrom L, Athalye A, Lin J. Black-box adversarial attacks with limited queries and information. In: International Conference on Machine Learning, 2018; pp. 2137\u20132146. PMLR."},{"key":"4658_CR74","unstructured":"Jagielski M, Carlini N, Berthelot D, Kurakin A, Papernot N. High accuracy and high fidelity extraction of neural networks. In: USENIX Security Symposium, 2020; pp. 1345\u20131362."},{"key":"4658_CR75","unstructured":"Pal S, Gupta S, Gupta M, Shukla A, Singh A, Bansal A. Active learning of black-box adversarial attacks. In: AAAI Conference on Artificial Intelligence, 2020; pp. 4575\u20134582."},{"key":"4658_CR76","doi-asserted-by":"crossref","unstructured":"Orekondy T, Schiele B, Fritz M. Knockoff nets: Stealing functionality of black-box models. In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2019; pp. 4954\u20134963.","DOI":"10.1109\/CVPR.2019.00509"},{"key":"4658_CR77","doi-asserted-by":"crossref","unstructured":"Rakin AS, Chowdhuryy MHI, Yao F, Fan D. Deepsteal: Advanced model extractions leveraging efficient weight stealing in memories. In: IEEE Symposium on Security and Privacy (SP), 2022; pp. 1157\u20131174. IEEE.","DOI":"10.1109\/SP46214.2022.9833743"},{"key":"4658_CR78","unstructured":"Tram\u00e8r F, Zhang F, Juels A, Reiter MK, Ristenpart T. Stealing machine learning models via prediction apis. In: USENIX Security Symposium, 2016; pp. 601\u2013618."},{"key":"4658_CR79","unstructured":"Jia J, Cao X, Gong NZ. Towards efficient data poisoning attacks against machine learning. In: USENIX Security Symposium, 2019; pp. 1333\u20131350."},{"key":"4658_CR80","doi-asserted-by":"crossref","unstructured":"Oh SJ, Schiele B, Fritz M. Towards reverse-engineering black-box neural networks. In: International Conference on Learning Representations (ICLR) 2019.","DOI":"10.1007\/978-3-030-28954-6_7"},{"key":"4658_CR81","unstructured":"Adi Y, Baum C, Cisse M, Pinkas B, Keshet J. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In: USENIX Security Symposium, 2018; pp. 1615\u20131631."},{"key":"4658_CR82","first-page":"1313","volume":"16","author":"E Le Merrer","year":"2020","unstructured":"Le Merrer E, Perez P, Tr\u00e9dan G. Adversarial watermarking: Protecting deep neural networks from unauthorized use. IEEE Trans Inf Forensics Secur. 2020;16:1313\u201328.","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"4658_CR83","doi-asserted-by":"crossref","unstructured":"Abadi M, Chu A, Goodfellow I, McMahan HB, Mironov I, Talwar K, Zhang L. Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016; pp. 308\u2013318.","DOI":"10.1145\/2976749.2978318"},{"key":"4658_CR84","unstructured":"Rahaman H, Chatterjee A, Bhunia S. Runtime detection of adversarial attacks in ai accelerators using performance counters. 2025. arXiv preprint arXiv:2503.07568."},{"key":"4658_CR85","unstructured":"Yang G, Wong E, Turner A, Li Z.K. Randomized smoothing: a provable defense against adversarial examples. In: International Conference on Machine Learning (ICML), 2020; pp. 10675\u201310685."},{"key":"4658_CR86","doi-asserted-by":"crossref","unstructured":"Papernot N, McDaniel P, Wu X, Jha S, Swami A. Distillation as a defense to adversarial perturbations against deep neural networks. In: IEEE Symposium on Security and Privacy (SP), 2016; pp. 582\u2013597.","DOI":"10.1109\/SP.2016.41"},{"key":"4658_CR87","unstructured":"Tram\u00e8r F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P. Ensemble adversarial training: Attacks and defenses. In: International Conference on Learning Representations (ICLR) 2018."},{"key":"4658_CR88","doi-asserted-by":"crossref","unstructured":"Shokri R, Stronati M, Song C, Shmatikov V. Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), 2017; pp. 3\u201318. IEEE.","DOI":"10.1109\/SP.2017.41"},{"key":"4658_CR89","unstructured":"Truex S, et al. Demystifying membership inference attacks. In: ACM CCS 2019."},{"key":"4658_CR90","doi-asserted-by":"crossref","unstructured":"Dwork C, McSherry F, Nissim K, Smith A. Calibrating noise to sensitivity in private data analysis. In: Theory of Cryptography Conference, 2006; pp. 265\u2013284. Springer.","DOI":"10.1007\/11681878_14"},{"key":"4658_CR91","doi-asserted-by":"crossref","unstructured":"Yeom S, Giacomelli I, Fredrikson M, Jha S. Privacy risk in machine learning: Analyzing the connection to overfitting. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), 2018; pp. 268\u2013282. IEEE.","DOI":"10.1109\/CSF.2018.00027"},{"key":"4658_CR92","doi-asserted-by":"crossref","unstructured":"Nasr M, Shokri R, Houmansadr A. Machine learning with membership privacy using adversarial regularization. In: ACM CCS 2018.","DOI":"10.1145\/3243734.3243855"},{"key":"4658_CR93","doi-asserted-by":"crossref","unstructured":"Salem A, Zhang Y, Humbert M, Berrang P, Fritz M, Backes M. Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. In: Network and Distributed System Security Symposium (NDSS) 2018.","DOI":"10.14722\/ndss.2019.23119"},{"key":"4658_CR94","doi-asserted-by":"crossref","unstructured":"Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures. In: 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015; pp. 1322\u20131333.","DOI":"10.1145\/2810103.2813677"},{"issue":"1","key":"4658_CR95","first-page":"1929","volume":"15","author":"N Srivastava","year":"2014","unstructured":"Srivastava N, Hinton G, Krizhevsky A, Sutskever I, Salakhutdinov R. Dropout: a simple way to prevent neural networks from overfitting. J Mach Learn Res. 2014;15(1):1929\u201358.","journal-title":"J Mach Learn Res"},{"key":"4658_CR96","unstructured":"Papernot N, Abadi M, Erlingsson \u00da, Goodfellow I, Talwar K. Semi-supervised knowledge transfer for deep learning from private training data. In: International Conference on Learning Representations (ICLR) 2016."},{"key":"4658_CR97","doi-asserted-by":"crossref","unstructured":"Melis L, Song C, De\u00a0Cristofaro E, Shmatikov V. Exploiting unintended feature leakage in collaborative learning. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 691\u2013706 2019. IEEE","DOI":"10.1109\/SP.2019.00029"},{"key":"4658_CR98","doi-asserted-by":"crossref","unstructured":"Hitaj B, Ateniese G, Perez-Cruz F. Deep models under the gan: Information leakage from collaborative deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 603\u2013618 2017.","DOI":"10.1145\/3133956.3134012"},{"key":"4658_CR99","unstructured":"Batina L, Bhasin S, Jap D, Picek S. $$\\{CSI\\}\\{NN\\}$$: Reverse engineering of neural network architectures through electromagnetic side channel. In: 28th USENIX Security Symposium (USENIX Security 19), 2019;515\u2013532."},{"key":"4658_CR100","unstructured":"Yan M, Fletcher CW, Torrellas J. Cache telepathy: Leveraging shared resource attacks to learn $$\\{$$DNN$$\\}$$ architectures. In: 29th USENIX Security Symposium (USENIX Security 20), 2020; pp. 2003\u20132020."},{"key":"4658_CR101","unstructured":"Ahmadi MM, Alrahis L, Sinanoglu O, Shafique M. Dnn-alias: Deep neural network protection against side-channel attacks via layer balancing. arXiv preprint arXiv:2303.06746 (2023)"},{"key":"4658_CR102","doi-asserted-by":"publisher","unstructured":"Chari S, Rao JR, Rohatgi P. Towards sound approaches to counteract power-analysis attacks. In: Advances in Cryptology \u2013 CRYPTO\u2019 99, pp. 398\u2013412. Springer Berlin, Heidelberg 1999. https:\/\/doi.org\/10.1007\/3-540-48405-1_26","DOI":"10.1007\/3-540-48405-1_26"},{"key":"4658_CR103","doi-asserted-by":"publisher","unstructured":"Dwork C, Roth A. The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science, vol. 9, pp. 211\u2013407. Now Publishers Hanover, MA, USA 2014.https:\/\/doi.org\/10.1561\/0400000042.","DOI":"10.1561\/0400000042"},{"key":"4658_CR104","doi-asserted-by":"publisher","unstructured":"Krautter J, Spreitzer R, Mangard S. Active physical side-channel attacks on resource-constrained iot devices. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2271\u20132285. ACM New York, NY, USA 2019. https:\/\/doi.org\/10.1145\/3319535.3354229.","DOI":"10.1145\/3319535.3354229"},{"key":"4658_CR105","doi-asserted-by":"publisher","unstructured":"Bonawitz K, Ivanov V, Kreuter B, Marcedone A, McMahan HB, Patel S, Ramage D, Segal A, Seth K. Practical secure aggregation for privacy-preserving machine learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1175\u20131191. ACM New York, NY, USA 2017. https:\/\/doi.org\/10.1145\/3133956.3133982.","DOI":"10.1145\/3133956.3133982"},{"key":"4658_CR106","doi-asserted-by":"publisher","unstructured":"Rezaei S, Liu X. Deep neural network model compression with adversarial robustness. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 5201\u20135208 2020. https:\/\/doi.org\/10.1609\/aaai.v34i04.5948.","DOI":"10.1609\/aaai.v34i04.5948"},{"key":"4658_CR107","doi-asserted-by":"publisher","unstructured":"Kocher P, Jaffe J, Jun B. Differential power analysis. In: Advances in Cryptology\u2013CRYPTO\u2019 99, pp. 388\u2013397. Springer Berlin, Heidelberg 1999. https:\/\/doi.org\/10.1007\/3-540-48405-1_25.","DOI":"10.1007\/3-540-48405-1_25"},{"key":"4658_CR108","doi-asserted-by":"crossref","unstructured":"Rahaman H, Chatterjee A, Bhunia S. Samurai: A framework for safeguarding against malicious usage and resilience of ai. In: 2024 IEEE 33rd Asian Test Symposium (ATS), 2024; pp. 1\u20136. IEEE.","DOI":"10.1109\/ATS64447.2024.10915409"},{"key":"4658_CR109","unstructured":"Rahaman H, Chatterjee A, Bhunia S. Secure and storage-efficient deep learning models for edge ai using automatic weight generation. 2025. arXiv preprint arXiv:2507.06380."}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-025-04658-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-025-04658-y","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-025-04658-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T10:33:53Z","timestamp":1771929233000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-025-04658-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,24]]},"references-count":109,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["4658"],"URL":"https:\/\/doi.org\/10.1007\/s42979-025-04658-y","relation":{},"ISSN":["2661-8907"],"issn-type":[{"value":"2661-8907","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,24]]},"assertion":[{"value":"17 October 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 December 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical Approval and Consent to Participate"}},{"value":"Not applicable.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Research Involving Human and\/or Animals"}},{"value":"Yes","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for Publication"}}],"article-number":"227"}}