{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T22:35:37Z","timestamp":1775169337286,"version":"3.50.1"},"reference-count":100,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2022]]},"DOI":"10.1109\/access.2022.3218715","type":"journal-article","created":{"date-parts":[[2022,11,4]],"date-time":"2022-11-04T01:36:13Z","timestamp":1667525773000},"page":"120850-120865","source":"Crossref","is-referenced-by-count":12,"title":["An Adversarial Perspective on Accuracy, Robustness, Fairness, and Privacy: Multilateral-Tradeoffs in Trustworthy ML"],"prefix":"10.1109","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3482-0157","authenticated-orcid":false,"given":"Alex","family":"Gittens","sequence":"first","affiliation":[{"name":"Department of Computer Science, Rensselaer Polytechnic Institute, Troy, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bulent","family":"Yener","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Rensselaer Polytechnic Institute, Troy, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Moti","family":"Yung","sequence":"additional","affiliation":[{"name":"Google LLC, New York, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354211"},{"key":"ref33","first-page":"11492","article-title":"To be robust or to be fair: Towards fairness in adversarial training","volume":"139","author":"xu","year":"2021","journal-title":"Proc 38th Int Conf Mach Learn (ICML)"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3442188.3445910"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3457607"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1452"},{"key":"ref37","article-title":"On adversarial bias and the robustness of fair machine learning","author":"chang","year":"2020","journal-title":"arXiv 2006 08669"},{"key":"ref36","first-page":"7472","article-title":"Theoretically principled trade-off between robustness and accuracy","volume":"97","author":"zhang","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref35","first-page":"1","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"Proc 6th Int Conf Learn Represent (ICLR)"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467403"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-011-5268-1"},{"key":"ref27","article-title":"Trade-offs between fairness, interpretability, and privacy in machine learning","author":"agarwal","year":"2020"},{"key":"ref29","first-page":"1","article-title":"Fairness and representation learning","author":"cisse","year":"2019","journal-title":"Proc 33rd Conf Neural Inf Process Syst"},{"key":"ref20","first-page":"1","article-title":"Are adversarial examples inevitable?","author":"shafahi","year":"2019","journal-title":"Proc 7th Int Conf Learn Represent (ICLR)"},{"key":"ref22","first-page":"8588","article-title":"A closer look at accuracy vs robustness","volume":"33","author":"yang","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref21","first-page":"1186","article-title":"Adversarial vulnerability for any classifier","volume":"31","author":"fawzi","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref24","article-title":"Privacy in deep learning: A survey","author":"mireshghallah","year":"2020","journal-title":"arXiv 2004 12254"},{"key":"ref23","first-page":"1","article-title":"Robustness may be at odds with accuracy","author":"tsipras","year":"2019","journal-title":"Proc 7th Int Conf Learn Represent (ICLR)"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00028"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-65414-6_32"},{"key":"ref25","first-page":"15453","article-title":"Differential privacy has disparate impact on model accuracy","volume":"32","author":"bagdasaryan","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00059"},{"key":"ref51","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","author":"cohen","year":"2019","journal-title":"Proc 8th Int Conf Learn Represent (ICLR)"},{"key":"ref59","first-page":"6106","article-title":"Poison frogs! Targeted clean-label poisoning attacks on neural networks","volume":"31","author":"shafahi","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00028"},{"key":"ref57","first-page":"1","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tram\u00e8r","year":"2018","journal-title":"Proc 6th Int Conf Learn Represent (ICLR)"},{"key":"ref56","first-page":"1","article-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models","author":"samangouei","year":"2018","journal-title":"Proc 6th Int Conf Learn Represent (ICLR)"},{"key":"ref55","first-page":"369","article-title":"Towards robust neural networks via random self-ensemble","author":"liu","year":"2018","journal-title":"Proc Eur Conf Comput Vis (ECCV)"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3240765.3264699"},{"key":"ref53","first-page":"1","article-title":"mixup: Beyond empirical risk minimization","author":"zhang","year":"2018","journal-title":"Proc 6th Int Conf Learn Represent (ICLR)"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"ref40","first-page":"8093","article-title":"Overfitting in adversarially robust deep learning","volume":"119","author":"rice","year":"2020","journal-title":"Proc 37th Int Conf Mach Learn"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/2090236.2090255"},{"key":"ref3","first-page":"1","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc 3rd Int Conf Learn Represent (ICLR)"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3194770.3194776"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2020\/61"},{"key":"ref8","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1561\/0400000042","article-title":"The algorithmic foundations of differential privacy","volume":"9","author":"dwork","year":"2014","journal-title":"Found Trends Theor Comput Sci"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287589"},{"key":"ref49","first-page":"3047","article-title":"Weight-covariance alignment for adversarially robust neural networks","volume":"139","author":"eustratiadis","year":"2020","journal-title":"Proc 38th Int Conf Mach Learn (ICML)"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/MCI.2020.2976185"},{"key":"ref46","first-page":"43","article-title":"Inherent trade-offs in the fair determination of risk scores","volume":"67","author":"kleinberg","year":"2017","journal-title":"Proc 8th Innov Theor Comput Sci Conf (ITCS)"},{"key":"ref45","first-page":"5680","article-title":"On fairness and calibration","author":"pleiss","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1177\/0049124118782533"},{"key":"ref42","article-title":"Gradient masking and the underestimated robustness threats of differential privacy in deep learning","author":"boenisch","year":"2021","journal-title":"arXiv 2105 07985"},{"key":"ref41","article-title":"Robustness threats of differential privacy","author":"tursynbek","year":"2020","journal-title":"arXiv 2012 07828"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2019.2907097"},{"key":"ref43","first-page":"1","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2014","journal-title":"Proc 2nd Int Conf Learn Represent (ICLR)"},{"key":"ref73","first-page":"1","article-title":"Representation learning via invariant causal mechanisms","author":"mitrovic","year":"2020","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref72","article-title":"Invariant risk minimization","author":"arjovsky","year":"2019","journal-title":"arXiv 1907 02893"},{"key":"ref71","author":"peters","year":"2017","journal-title":"Elements of Causal Inference Foundations and Learning Algorithms"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511803161"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2021.3058954"},{"key":"ref77","first-page":"145","article-title":"Invariant risk minimization games","author":"ahuja","year":"2020","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref74","article-title":"Generalizable information theoretic causal representation","author":"yang","year":"2022","journal-title":"arXiv 2202 08388"},{"key":"ref75","first-page":"19","article-title":"Towards efficient representation identification in supervised learning","volume":"177","author":"ahuja","year":"2022","journal-title":"Proc 1st Conf Causal Learn Reasoning (CLeaR)"},{"key":"ref78","first-page":"1","article-title":"Invariant causal representation learning for out-of-distribution generalization","author":"lu","year":"2021","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref79","first-page":"1","article-title":"Adversarial robustness through the lens of causality","author":"zhang","year":"2022","journal-title":"Proc 10th Int Conf Learn Represent (ICLR)"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.23047"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.29012\/jpc.754"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/MSN53354.2021.00038"},{"key":"ref64","first-page":"1","article-title":"Poisoning attacks to local differential privacy protocols for key-value data","author":"wu","year":"2022","journal-title":"Proc 31st USENIX Secur Symp"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382264"},{"key":"ref66","first-page":"1","article-title":"Differential privacy under fire","author":"haeberlen","year":"2011","journal-title":"Proc 20th USENIX Secur Symp"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.44"},{"key":"ref68","article-title":"Approaching machine learning fairness through adversarial network","author":"wang","year":"2019","journal-title":"arXiv 1909 03013"},{"key":"ref2","doi-asserted-by":"crossref","DOI":"10.1002\/9780470434697","author":"huber","year":"2009","journal-title":"Robust Statistics"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33012412"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3531146.3533179"},{"key":"ref95","author":"dua","year":"2014","journal-title":"Bank marketing dataset UCI Machine Learning Repository"},{"key":"ref94","article-title":"A survey of privacy attacks in machine learning","author":"rigaki","year":"2020","journal-title":"arXiv 2007 07646"},{"key":"ref93","first-page":"2206","article-title":"Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks","author":"croce","year":"2020","journal-title":"Proc 37th Int Conf Mach Learn (ICML)"},{"key":"ref92","first-page":"1","article-title":"RobustBench: A standardized adversarial robustness benchmark","author":"croce","year":"2021","journal-title":"Proc 35th Conf Neural Inf Process Syst Datasets Benchmarks Track"},{"key":"ref91","article-title":"Fairlearn: A toolkit for assessing and improving fairness in AI","author":"bird","year":"2020"},{"key":"ref90","article-title":"On the robustness of Bayesian network learning algorithms against malicious attacks","author":"geveke","year":"2020"},{"key":"ref98","article-title":"A new paradigm for accelerating clinical data science at Stanford medicine","author":"datta","year":"2020","journal-title":"arXiv 2003 10534"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/ICB2018.2018.00033"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1038\/s41597-021-01110-7"},{"key":"ref97","first-page":"1","article-title":"MIMIC-III, a freely accessible critical care database","volume":"3","author":"johnson","year":"2016","journal-title":"Data Science Journal"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref11","first-page":"429","article-title":"Local privacy and statistical minimax rates","author":"duchi","year":"2013","journal-title":"Proc Annu IEEE Symp Foundations Comput Sci"},{"key":"ref12","first-page":"11631","article-title":"Numerical composition of differential privacy","volume":"34","author":"gopi","year":"2021","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref14","first-page":"3000","article-title":"Differentially private fair learning","volume":"97","author":"jagielski","year":"2019","journal-title":"Proc 36th Int Conf Mach Learn (ICML)"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2021.3129592"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2014.56"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/PAC.2017.24"},{"key":"ref17","first-page":"2722","article-title":"Differentially private empirical risk minimization revisited: Faster and more general","volume":"30","author":"wang","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref81","first-page":"1308","article-title":"Private causal inference","volume":"51","author":"kusner","year":"2016","journal-title":"Proc 19th Int Conf Artif Intell Statist (AISTATS)"},{"key":"ref18","first-page":"2357","article-title":"Obtaining fairness using optimal transport theory","author":"gordaliza","year":"2019","journal-title":"Proc 36th Int Conf Mach Learn (ICML)"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.3389\/fdata.2022.892837"},{"key":"ref19","first-page":"862","article-title":"Wasserstein fair classification","volume":"115","author":"jiang","year":"2019","journal-title":"Proc 35th Conf Uncertainty Artif Intell (UAI)"},{"key":"ref83","first-page":"5516","article-title":"Towards practical differentially private causal graph discovery","volume":"33","author":"wang","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref80","first-page":"9537","article-title":"Alleviating privacy attacks via causal learning","author":"tople","year":"2020","journal-title":"Proc 37th Int Conf Mach Learn (ICML)"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1080\/03081079.2019.1630401"},{"key":"ref85","first-page":"4066","article-title":"Counterfactual fairness","volume":"30","author":"kusner","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11553"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1111\/cogs.12058"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33017801"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/9668973\/09933776.pdf?arnumber=9933776","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,12]],"date-time":"2022-12-12T19:59:18Z","timestamp":1670875158000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9933776\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"references-count":100,"URL":"https:\/\/doi.org\/10.1109\/access.2022.3218715","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]}}}