{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T15:42:15Z","timestamp":1774539735946,"version":"3.50.1"},"reference-count":219,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2024]]},"DOI":"10.1109\/access.2024.3509372","type":"journal-article","created":{"date-parts":[[2024,11,29]],"date-time":"2024-11-29T18:57:03Z","timestamp":1732906623000},"page":"181071-181105","source":"Crossref","is-referenced-by-count":22,"title":["Transformers: A Security Perspective"],"prefix":"10.1109","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3735-9191","authenticated-orcid":false,"given":"Banafsheh Saber","family":"Latibari","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3094-9439","authenticated-orcid":false,"given":"Najmeh","family":"Nazari","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-2160-5689","authenticated-orcid":false,"given":"Muhtasim","family":"Alam Chowdhury","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, The University of Arizona, Tucson, AZ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1745-0457","authenticated-orcid":false,"given":"Kevin","family":"Immanuel Gubbi","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"given":"Chongzhou","family":"Fang","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"given":"Sujan","family":"Ghimire","sequence":"additional","affiliation":[{"name":"Department of System and Industrial Engineering, The University of Arizona, Tucson, AZ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-2138-9026","authenticated-orcid":false,"given":"Elahe","family":"Hosseini","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6423-0145","authenticated-orcid":false,"given":"Hossein","family":"Sayadi","sequence":"additional","affiliation":[{"name":"California State University at Long Beach, Long Beach, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8904-4699","authenticated-orcid":false,"given":"Houman","family":"Homayoun","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5998-8795","authenticated-orcid":false,"given":"Soheil","family":"Salehi","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, The University of Arizona, Tucson, AZ, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4052-8075","authenticated-orcid":false,"given":"Avesta","family":"Sasan","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of California at Davis, Davis, CA, USA"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00083"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2807385"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.3233\/FAIA230254"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR48806.2021.9413344"},{"key":"ref6","article-title":"Federated adversarial training with transformers","author":"Aldahdooh","year":"2022","journal-title":"arXiv:2206.02131"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-16437-8_36"},{"key":"ref8","first-page":"26831","article-title":"Are transformers more robust than CNNs?","volume-title":"Advances in Neural Information Processing Systems","volume":"34","author":"Bai","year":"2021"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED48828.2020.9136987"},{"key":"ref10","article-title":"Adversarial robustness comparison of vision transformer and MLP-mixer to CNNs","author":"Benz","year":"2021","journal-title":"arXiv:2110.02797"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1142\/S0129065721500581"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2023.100573"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/ICFPT51103.2020.00023"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/TVLSI.2023.3340553"},{"key":"ref15","first-page":"1877","article-title":"Language models are few-shot learners","volume-title":"Advances in Neural Information Processing Systems","volume":"33","author":"Brown","year":"2020"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58452-8_13"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.7717\/peerj-cs.1197"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00084"},{"key":"ref19","article-title":"Killing one bird with two stones: Model extraction and attribute inference attacks against BERT-based APIs","author":"Chen","year":"2021","journal-title":"arXiv:2105.10909"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.5767"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P19-1425"},{"key":"ref22","article-title":"PaLM: Scaling language modeling with pathways","author":"Chowdhery","year":"2022","journal-title":"arXiv:2204.02311"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.3389\/felec.2024.1409548"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/LifeTech53646.2022.9754937"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN55064.2022.9892269"},{"key":"ref26","article-title":"A light recipe to train robust vision transformers","author":"Debenedetti","year":"2022","journal-title":"arXiv:2209.07399"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.findings-emnlp.305"},{"key":"ref28","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018","journal-title":"arXiv:1810.04805"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i1.25125"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.3390\/cryptography8030036"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.107956"},{"key":"ref32","article-title":"An image is worth 16\u271716 words: Transformers for image recognition at scale","author":"Dosovitskiy","year":"2020","journal-title":"arXiv:2010.11929"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3400302.3415649"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3465377"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ITC51656.2023.00035"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/HOST55118.2023.10133716"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3653019"},{"key":"ref38","first-page":"829","article-title":"Large language models for code analysis: Do LLMs really do their job?","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Security)","author":"Fang"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.23919\/DATE51398.2021.9473941"},{"key":"ref40","article-title":"Decepticons: Corrupted transformers breach privacy in federated learning for language models","author":"Fowl","year":"2022","journal-title":"arXiv:2201.12675"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.eacl-main.149"},{"key":"ref42","article-title":"BlackJack: Secure machine learning on IoT devices through hardware-based shuffling","author":"Ganesan","year":"2023","journal-title":"arXiv:2310.17804"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1038\/s41467-022-33266-0"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196518"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3322483"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.23919\/DATE48585.2020.9116481"},{"key":"ref47","volume-title":"Bard","year":"2023"},{"key":"ref48","volume-title":"Gemini","year":"2023"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19775-8_24"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3579823"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/MWSCAS57524.2023.10406065"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/TCSI.2024.3364160"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ACOMP.2019.00022"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.3390\/s23073400"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3152247"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-022-07568-9"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00978"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.naacl-main.161"},{"key":"ref59","article-title":"CATER: Intellectual property protection on text generation APIs via conditional watermarks","author":"He","year":"2022","journal-title":"arXiv:2209.08773"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.emnlp-main.99"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i10.21321"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.3233\/faia230376"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-80599-9_2"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2021-2039"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED60706.2024.10528782"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.3390\/mi15010149"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/LSP.2021.3112099"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/3523273"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-44693-1_32"},{"key":"ref70","article-title":"Zero-shot certified defense against adversarial patches with vision transformers","author":"Huang","year":"2021","journal-title":"arXiv:2111.10481"},{"key":"ref71","article-title":"Adversarial attacks on speech recognition systems for mission-critical applications: A survey","author":"Huynh","year":"2022","journal-title":"arXiv:2202.10594"},{"key":"ref72","article-title":"Adversarial attacks on transformers-based malware detectors","author":"Jakhotiya","year":"2022","journal-title":"arXiv:2210.00008"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218575"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD51958.2021.9643556"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3555808"},{"key":"ref76","first-page":"1","article-title":"Label poisoning is all you need","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"36","author":"Jha"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i05.6311"},{"key":"ref78","article-title":"Adversarial token attacks on vision transformers","author":"Joshi","year":"2021","journal-title":"arXiv:2110.04337"},{"key":"ref79","first-page":"1","article-title":"HLGM: A novel methodology for improving model accuracy using saliency-guided high and low gradient masking","volume-title":"Proc. 14th Int. Conf. Inf. Sci. Technol.","author":"Karkehabadi"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.findings-acl.141"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.3390\/s24020592"},{"key":"ref82","article-title":"A watermark for large language models","author":"Kirchenbauer","year":"2023","journal-title":"arXiv:2301.10226"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1016\/j.micpro.2020.103383"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/ISLPED58423.2023.10244573"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-28244-7_32"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/DCAS57389.2023.10130256"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/DCAS61159.2024.10539877"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19806-9_33"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103448"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.500"},{"key":"ref91","article-title":"On extracting specialized code abilities from large language models: A feasibility study","author":"Li","year":"2023","journal-title":"arXiv:2303.03012"},{"key":"ref92","article-title":"FedNLP: Benchmarking federated learning methods for natural language processing tasks","author":"Lin","year":"2021","journal-title":"arXiv:2104.08815"},{"key":"ref93","article-title":"HW-V2W-map: Hardware vulnerability to weakness mapping framework for root cause analysis with GPT-assisted mitigation suggestion","author":"Lin","year":"2023","journal-title":"arXiv:2312.13530"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.emnlp-main.522"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218577"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/3474376.3487281"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1387"},{"key":"ref98","article-title":"Prompt injection attack against LLM-integrated applications","author":"Liu","year":"2023","journal-title":"arXiv:2306.05499"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00986"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/SOCC49529.2020.9524802"},{"key":"ref101","article-title":"SpecTNT: A time-frequency transformer for music audio","author":"Lu","year":"2021","journal-title":"arXiv:2110.09127"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18074.2021.9586262"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00034"},{"key":"ref104","article-title":"DBIA: Data-free backdoor injection attack against transformer networks","author":"Lv","year":"2021","journal-title":"arXiv:2111.11870"},{"key":"ref105","article-title":"Attention hijacking in trojan transformers","author":"Lyu","year":"2022","journal-title":"arXiv:2208.04946"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00427"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00774"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1145\/2591513.2591520"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01173"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1109\/MDAT.2023.3253603"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED51717.2021.9424353"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED54688.2022.9806214"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30136"},{"key":"ref114","first-page":"1","article-title":"Black box attacks on transformer language models","volume-title":"Proc. Debugging Mach. Learn. Models Workshop (ICLR)","author":"Misra"},{"key":"ref115","first-page":"18599","article-title":"When adversarial training meets vision transformers: Recipes from training to architecture","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"35","author":"Mo"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1109\/JETCAS.2021.3074608"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbi.2022.104114"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.341"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-demos.16"},{"key":"ref120","article-title":"Combined use of federated learning and image encryption for privacy-preserving image classification with vision transformer","author":"Nagamori","year":"2023","journal-title":"arXiv:2301.09255"},{"key":"ref121","first-page":"13988","article-title":"Clip-it! Language-guided video summarization","volume-title":"Advances in Neural Information Processing Systems","volume":"34","author":"Narasimhan","year":"2021"},{"key":"ref122","article-title":"On improving adversarial transferability of vision transformers","author":"Naseer","year":"2021","journal-title":"arXiv:2106.04169"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616652"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1109\/MM.2023.3267481"},{"key":"ref125","first-page":"1","article-title":"Architectural whispers: Unveiling machine learning models with frequency throttling side-channel fingerprinting","volume-title":"Proc. Design Autom. Conf. (DAC)","author":"Nazari"},{"key":"ref126","first-page":"1349","article-title":"Forget and rewire: Enhancing the resilience of transformer-based models against bit-flip attacks","volume-title":"Proc. 33rd USENIX Secur. Symp. (USENIX Security)","author":"Nazari"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED60706.2024.10528736"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS58744.2024.10558041"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.23919\/DATE58400.2024.10546869"},{"key":"ref130","volume-title":"ChatGPT","year":"2023"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2022.3190787"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-20083-0_18"},{"key":"ref133","article-title":"Attacking compressed vision transformers","author":"Parekh","year":"2022","journal-title":"arXiv:2209.13785"},{"key":"ref134","article-title":"SoK: Model reverse engineering threats for neural network hardware","author":"Potluri","year":"2024","journal-title":"Cryptol. ePrint Arch."},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2022.04.020"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00982"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.1109\/AICCSA56895.2022.10017489"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA58977.2023.00104"},{"key":"ref139","first-page":"1919","article-title":"$Deep-Dup$: An adversarial weight duplication attack framework to crush deep neural network in $Multi-Tenant$$FPGA$","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Security)","author":"Rakin"},{"key":"ref140","article-title":"Exploring adversarial attacks and defenses in vision transformers trained with DINO","author":"Rando","year":"2022","journal-title":"arXiv:2206.06761"},{"key":"ref141","first-page":"1","article-title":"Attention-based interpretability with concept transformers","volume-title":"Proc. Int. Conf. Learn. Represent.","author":"Rigotti"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2022-249"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49357.2023.10096956"},{"key":"ref144","article-title":"A study of small evolution of vision transformers for low power devices","author":"Latibari","year":"2024"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1145\/3649476.3660380"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP43922.2022.9747475"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01471"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2018.8342177"},{"key":"ref149","article-title":"Large scale legal text classification using transformer models","author":"Shaheen","year":"2020","journal-title":"arXiv:2010.12871"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1007\/s41635-017-0001-6"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2023.102802"},{"key":"ref152","article-title":"On the adversarial robustness of vision transformers","author":"Shao","year":"2021","journal-title":"arXiv:2103.15670"},{"key":"ref153","doi-asserted-by":"publisher","DOI":"10.5220\/0012863100003767"},{"key":"ref154","doi-asserted-by":"publisher","DOI":"10.1109\/BigData55660.2022.10020473"},{"key":"ref155","article-title":"Decision-based black-box attack against vision transformers via patch-wise adversarial removal","author":"Shi","year":"2021","journal-title":"arXiv:2112.03492"},{"key":"ref156","article-title":"A comprehensive survey on non-invasive fault injection attacks","author":"Shuvo","year":"2023","journal-title":"Cryptol. ePrint Arch."},{"key":"ref157","article-title":"Efficient and private federated learning with partially trainable networks","author":"Sidahmed","year":"2021","journal-title":"arXiv:2110.03450"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW60793.2023.00355"},{"key":"ref159","article-title":"Backdoor attacks on vision transformers","author":"Subramanya","year":"2022","journal-title":"arXiv:2206.08477"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1109\/WACV57701.2024.00383"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1145\/3466752.3480095"},{"key":"ref162","article-title":"Learning the wrong lessons: Inserting trojans during knowledge distillation","author":"Tang","year":"2023","journal-title":"arXiv:2303.05593"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.3390\/electronics11172638"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1016\/j.compag.2022.107518"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1109\/FCCM51124.2021.00037"},{"key":"ref166","doi-asserted-by":"publisher","DOI":"10.23919\/DATE56975.2023.10136956"},{"key":"ref167","first-page":"10347","article-title":"Training data-efficient image transformers & distillation through attention","volume-title":"Proc. 38th Int. Conf. Mach. Learn.","volume":"139","author":"Touvron"},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1109\/ISQED48828.2020.9137007"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3093160"},{"key":"ref170","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.03762"},{"key":"ref171","doi-asserted-by":"publisher","DOI":"10.1109\/ISOCC50952.2020.9333063"},{"key":"ref172","article-title":"Audio transformers: transformer architectures for large scale audio understanding. Adieu convolutions","author":"Verma","year":"2021","journal-title":"arXiv:2105.00335"},{"key":"ref173","article-title":"DecodingTrust: A comprehensive assessment of trustworthiness in GPT models","author":"Wang","year":"2023","journal-title":"arXiv:2306.11698"},{"key":"ref174","doi-asserted-by":"publisher","DOI":"10.23919\/DATE54114.2022.9774742"},{"key":"ref175","article-title":"A survey of neural trojan attacks and defenses in deep learning","author":"Wang","year":"2022","journal-title":"arXiv:2202.07183"},{"key":"ref176","doi-asserted-by":"publisher","DOI":"10.1145\/3503161.3547989"},{"key":"ref177","article-title":"Understanding adversarial robustness of vision transformers via Cauchy problem","author":"Wang","year":"2022","journal-title":"arXiv:2208.00906"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1016\/j.simpa.2022.100449"},{"key":"ref179","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274696"},{"key":"ref180","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i3.20169"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2020.i3.169-195"},{"key":"ref182","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2023\/759"},{"key":"ref183","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19778-9_18"},{"key":"ref184","first-page":"1","article-title":"Defending pre-trained language models as few-shot learners against backdoor attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"36","author":"Xi"},{"key":"ref185","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2023.3275156"},{"key":"ref186","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.emnlp-tutorial.2"},{"key":"ref187","first-page":"1","article-title":"TrojLLM: A black-box trojan prompt attack on large language models","volume-title":"Proc. 37th Conf. Neural Inf. Process. Syst.","author":"Xue"},{"key":"ref188","doi-asserted-by":"publisher","DOI":"10.1049\/iet-cdt.2020.0041"},{"key":"ref189","article-title":"Defense against ML-based power side-channel attacks on DNN accelerators with adversarial attacks","author":"Yan","year":"2023","journal-title":"arXiv:2312.04035"},{"key":"ref190","doi-asserted-by":"publisher","DOI":"10.1109\/ICFPT59805.2023.00026"},{"key":"ref191","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.00290"},{"key":"ref192","first-page":"1","article-title":"Robust contrastive language-image pretraining against data poisoning and backdoor attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"36","author":"Yang"},{"key":"ref193","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-61725-7_32"},{"key":"ref194","doi-asserted-by":"publisher","DOI":"10.1109\/AICCSA59173.2023.10479279"},{"key":"ref195","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00251"},{"key":"ref196","article-title":"A novel evaluation framework for assessing resilience against prompt injection attacks in large language models","author":"Yip","year":"2024","journal-title":"arXiv:2401.00991"},{"key":"ref197","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.blackboxnlp-1.30"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.findings-emnlp.81"},{"key":"ref199","doi-asserted-by":"publisher","DOI":"10.1109\/FCCM.2019.00059"},{"key":"ref200","first-page":"1","article-title":"Differentially private fine-tuning of language models","volume-title":"Proc. Int. Conf. Learn. Represent.","author":"Yu"},{"key":"ref201","article-title":"GPTFUZZER: Red teaming large language models with auto-generated jailbreak prompts","author":"Yu","year":"2023","journal-title":"arXiv:2309.10253"},{"key":"ref202","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i8.20879"},{"key":"ref203","first-page":"7132","article-title":"Bridge the gap between CV and NLP! An optimization-based textual adversarial attack framework","volume-title":"Proc. ACL","author":"Yuan"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.02357"},{"key":"ref205","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.acl-long.74"},{"key":"ref206","article-title":"Adversarial attacks and defenses for speech recognition systems","author":"\u017belasko","year":"2021","journal-title":"arXiv:2103.17122"},{"key":"ref207","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP43922.2022.9747508"},{"key":"ref208","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2022.3215188"},{"key":"ref209","article-title":"Text revealer: Private text reconstruction via model inversion attacks against transformers","author":"Zhang","year":"2022","journal-title":"arXiv:2209.10505"},{"key":"ref210","doi-asserted-by":"publisher","DOI":"10.1145\/3374217"},{"key":"ref211","doi-asserted-by":"publisher","DOI":"10.1109\/LSP.2023.3302697"},{"key":"ref212","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3106169"},{"key":"ref213","article-title":"Meta-transformer: A unified framework for multimodal learning","author":"Zhang","year":"2023","journal-title":"arXiv:2307.10802"},{"key":"ref214","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00049"},{"key":"ref215","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.findings-emnlp.370"},{"key":"ref216","article-title":"Protecting language generation models via invisible watermarking","author":"Zhao","year":"2023","journal-title":"arXiv:2302.03162"},{"key":"ref217","first-page":"1","article-title":"On evaluating adversarial robustness of large vision-language models","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"36","author":"Zhao"},{"key":"ref218","article-title":"TrojViT: Trojan insertion in vision transformers","author":"Zheng","year":"2022","journal-title":"arXiv:2208.13049"},{"key":"ref219","doi-asserted-by":"publisher","DOI":"10.1109\/DAC56929.2023.10247719"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10380310\/10771766.pdf?arnumber=10771766","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,12]],"date-time":"2024-12-12T06:35:50Z","timestamp":1733985350000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10771766\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":219,"URL":"https:\/\/doi.org\/10.1109\/access.2024.3509372","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]}}}