{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,30]],"date-time":"2025-09-30T11:04:42Z","timestamp":1759230282034,"version":"3.37.3"},"reference-count":77,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/100000183","name":"Army Research Office","doi-asserted-by":"publisher","award":["W911NF-21-1-0155"],"award-info":[{"award-number":["W911NF-21-1-0155"]}],"id":[{"id":"10.13039\/100000183","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100012025","name":"New York University (NYU) Abu Dhabi Center in Artificial Intelligence (AI) and Robotics","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100012025","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2022]]},"DOI":"10.1109\/access.2022.3141077","type":"journal-article","created":{"date-parts":[[2022,1,7]],"date-time":"2022-01-07T20:33:48Z","timestamp":1641587628000},"page":"5545-5558","source":"Crossref","is-referenced-by-count":12,"title":["A Feature-Based On-Line Detector to Remove Adversarial-Backdoors by Iterative Demarcation"],"prefix":"10.1109","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8282-6580","authenticated-orcid":false,"given":"Hao","family":"Fu","sequence":"first","affiliation":[]},{"given":"Akshaj Kumar","family":"Veldanda","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8264-7972","authenticated-orcid":false,"given":"Prashanth","family":"Krishnamurthy","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6158-9512","authenticated-orcid":false,"given":"Siddharth","family":"Garg","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8418-004X","authenticated-orcid":false,"given":"Farshad","family":"Khorrami","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2011.5995566"},{"article-title":"Learning multiple layers of features from tiny images","year":"2009","author":"krizhevsky","key":"ref71"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2012.02.016"},{"key":"ref76","article-title":"FaceHack: Triggering backdoored facial recognition systems using facial characteristics","author":"sarkar","year":"2020","journal-title":"arXiv 2006 11623"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref74","first-page":"1","article-title":"Network in network","author":"lin","year":"2014","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"ref38","first-page":"16463","article-title":"Invisible backdoor attack with sample-specific triggers","author":"li","year":"2021","journal-title":"Proc IEEE\/CVF Int Conf Comput Vis"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3032411"},{"key":"ref32","first-page":"7167","article-title":"A simple unified framework for detecting out-of-distribution samples and adversarial attacks","author":"lee","year":"2018","journal-title":"Proc Conf Neural Inf Process Syst"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref30","first-page":"14004","article-title":"Defending neural backdoors via generative distribution modeling","author":"qiao","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00614"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.23919\/DATE48585.2020.9116489"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref60","first-page":"61","article-title":"Probabilistic outputs for support vector machines and comparisons to regularized likelihood methods","volume":"10","author":"platt","year":"1999","journal-title":"Adv Large Margin Classifiers"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2017.2707495"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2003.1217609"},{"key":"ref63","first-page":"34","article-title":"One-class SVM for learning in image retrieval","volume":"1","author":"chen","year":"2001","journal-title":"Proc Int Conf Image Process"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref64","first-page":"6067","article-title":"Quantum entropy scoring for fast robust mean estimation and improved outlier detection","author":"dong","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2019.2947676"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1016\/j.patrec.2021.05.022"},{"key":"ref29","article-title":"TABOR: A highly accurate approach to inspecting and restoring trojan backdoors in AI systems","author":"guo","year":"2019","journal-title":"arXiv 1908 01763"},{"key":"ref67","first-page":"2825","article-title":"Scikit-learn: Machine learning in Python","volume":"12","author":"pedregosa","year":"2017","journal-title":"J Mach Learn Res"},{"key":"ref68","first-page":"1","article-title":"Automatic differentiation in PyTorch","author":"paszke","year":"2017","journal-title":"Proc 31st Conf Neural Inf Process Syst"},{"journal-title":"MNIST Handwritten Digit Database","year":"2010","author":"lecun","key":"ref69"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.244"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2016.2577031"},{"key":"ref20","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"chen","year":"2017","journal-title":"arXiv 1712 05526"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1038\/nature21056"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2009.36"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2019.2946162"},{"key":"ref26","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"chen","year":"2018","journal-title":"arXiv 1811 03728"},{"key":"ref25","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","author":"tran","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00057"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58571-6_26"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1111\/1467-9868.00196"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611976700.12"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3394171.3413546"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00356"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00301"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00114"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/IROS40897.2019.8968267"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1016\/j.robot.2019.03.001"},{"key":"ref40","first-page":"2088","article-title":"Invisible backdoor attacks on deep neural networks via steganography and regularization","volume":"18","author":"li","year":"2021","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"ref12","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref14","article-title":"Defensive distillation is not robust to adversarial examples","author":"carlini","year":"2016","journal-title":"arXiv 1607 04311"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref16","first-page":"1","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref17","first-page":"15","article-title":"Adversarial example defenses: Ensembles of weak defenses are not strong","author":"he","year":"2017","journal-title":"Proc USENIX Conf Offensive Technol"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref19","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2013","journal-title":"arXiv 1312 6199"},{"key":"ref4","first-page":"2493","article-title":"Natural language processing (almost) from scratch","volume":"12","author":"collobert","year":"2011","journal-title":"J Mach Learn Res"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.220"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.312"},{"key":"ref5","article-title":"Neural machine translation by jointly learning to align and translate","author":"bahdanau","year":"2014","journal-title":"arXiv 1409 0473"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2018.2381113"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/CCTA41146.2020.9206312"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3437880.3460401"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/IROS.2018.8593375"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3450569.3463560"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2021.3087237"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2941376"},{"key":"ref42","first-page":"1","article-title":"DBA: Distributed backdoor attacks against federated learning","author":"xie","year":"2019","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS51616.2021.00086"},{"key":"ref43","first-page":"2938","article-title":"How to backdoor federated learning","author":"bagdasaryan","year":"2020","journal-title":"Proc Int Conf Artif Intell Statist"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/9668973\/09673744.pdf?arnumber=9673744","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,4,11]],"date-time":"2022-04-11T20:53:14Z","timestamp":1649710394000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9673744\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"references-count":77,"URL":"https:\/\/doi.org\/10.1109\/access.2022.3141077","relation":{},"ISSN":["2169-3536"],"issn-type":[{"type":"electronic","value":"2169-3536"}],"subject":[],"published":{"date-parts":[[2022]]}}}