{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T04:10:06Z","timestamp":1775880606194,"version":"3.50.1"},"reference-count":101,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100000181","name":"Air Force Office of Scientific Research","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100004351","name":"Cisco Systems","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100004351","id-type":"DOI","asserted-by":"publisher"}]},{"name":"AWS Credits Gift"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. IEEE"],"published-print":{"date-parts":[[2020,3]]},"DOI":"10.1109\/jproc.2020.2970615","type":"journal-article","created":{"date-parts":[[2020,2,26]],"date-time":"2020-02-26T21:06:45Z","timestamp":1582751205000},"page":"402-433","source":"Crossref","is-referenced-by-count":206,"title":["Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks"],"prefix":"10.1109","volume":"108","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8848-1643","authenticated-orcid":false,"given":"David J.","family":"Miller","sequence":"first","affiliation":[{"name":"School of Electrical Engineering and Computer Science, Pennsylvania State University, University Park, PA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4284-2041","authenticated-orcid":false,"given":"Zhen","family":"Xiang","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Computer Science, Pennsylvania State University, University Park, PA, USA"}]},{"given":"George","family":"Kesidis","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Computer Science, Pennsylvania State University, University Park, PA, USA"}]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref38","first-page":"1","article-title":"Good word attacks on statistical spam filters","author":"lowd","year":"2005","journal-title":"Proceedings of the CSE"},{"key":"ref33","first-page":"1","article-title":"Revealing backdoors, post-training, in DNN classifiers via novel inference on optimized perturbations inducing group misclassification","author":"xiang","year":"2020","journal-title":"Proc IEEE ICASSP"},{"key":"ref32","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"chen","year":"2018","journal-title":"arXiv 1811 03728"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2013.57"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref36","first-page":"1","article-title":"On detecting adversarial perturbations","author":"metzen","year":"2017","journal-title":"Proc ICLR"},{"key":"ref35","article-title":"The limitations of adversarial training and the blind-spot attack","author":"zhang","year":"2019","journal-title":"arXiv 1901 04684"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref21","first-page":"1","article-title":"Backdoor embedding in convolutional neural network models via invisible perturbation","author":"liao","year":"2019","journal-title":"Proc of CODASPY"},{"key":"ref24","article-title":"Revealing perceptible backdoors, without the training set, via the maximum achievable misclassification fraction statistic","author":"xiang","year":"2019","journal-title":"arXiv 1911 07970"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/MLSP.2019.8918908"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D17-1230"},{"key":"ref26","first-page":"601","article-title":"Stealing machine learning models via prediction apis","author":"tramer","year":"2016","journal-title":"Proc Usenix Secur Symp"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2014.2345378"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-88735-7_2"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/WASPAA.2015.7336950"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/TMM.2015.2478068"},{"key":"ref59","first-page":"1","article-title":"Defensive quantization: When efficiency meets robustness","author":"lin","year":"2019","journal-title":"Proc ICLR"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098158"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2019.8682578"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref53","first-page":"97","article-title":"Support vector machines under adversarial label noise","author":"biggio","year":"2011","journal-title":"Proc Asian Conf Mach Learn"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2807385"},{"key":"ref40","doi-asserted-by":"crossref","DOI":"10.1162\/neco_a_01209","article-title":"Anomaly detection of attacks (ADA) on DNN classifiers at TEST TIME","volume":"31","author":"miller","year":"2019","journal-title":"Neural Comput"},{"key":"ref4","first-page":"1","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2014","journal-title":"Proc ICLR"},{"key":"ref3","first-page":"2672","article-title":"Generative adversarial networks","author":"goodfellow","year":"2014","journal-title":"Proc Neural Inf Process Syst (NIPS)"},{"key":"ref6","author":"lecun","year":"1998","journal-title":"The MNIST Database of Handwritten Digits"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517321"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1023\/A:1007692713085"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00009"},{"key":"ref7","author":"rabiner","year":"1993","journal-title":"Fundamentals of speech recognition"},{"key":"ref9","author":"duda","year":"2001","journal-title":"Pattern Classification"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/78.175747"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/78.650101"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref47","article-title":"Detecting adversarial samples from artifacts","author":"feinman","year":"2017","journal-title":"arXiv 1703 00410"},{"key":"ref42","first-page":"513","article-title":"Hidden voice commands","author":"carlini","year":"2016","journal-title":"Proc Usenix Secur Symp"},{"key":"ref41","author":"kurose","year":"2004","journal-title":"Computer Networking A Top-Down Approach Featuring the Internet"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.615"},{"key":"ref43","first-page":"1","article-title":"Robustness may be at odds with accuracy","author":"tsipras","year":"2019","journal-title":"Proc ICLR"},{"key":"ref73","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tramer","year":"2018","journal-title":"Proc ICLR"},{"key":"ref72","first-page":"1","article-title":"Adversarial machine learning at scale","author":"kurakin","year":"2017","journal-title":"Proc ICLR"},{"key":"ref71","first-page":"1","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc ICML"},{"key":"ref70","first-page":"1","article-title":"Towards fast computation of certified robustness for ReLU networks","author":"weng","year":"2018","journal-title":"Proc ICML"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.56"},{"key":"ref77","first-page":"1","article-title":"A baseline for detecting misclassified and out-of-distribution examples in neural networks","author":"hendrycks","year":"2017","journal-title":"Proc ICLR"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140449"},{"key":"ref75","article-title":"On the (statistical) detection of adversarial examples","author":"grosse","year":"2017","journal-title":"arXiv 1702 06280"},{"key":"ref78","first-page":"1","article-title":"Early methods for detecting adversarial images","author":"hendrycks","year":"2017","journal-title":"ICLR Workshop Track"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2016.0020"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2700270"},{"key":"ref61","author":"carlini","year":"2019","journal-title":"et al On Evaluating Adversarial Robustness"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref64","first-page":"854","article-title":"Parseval networks: Improving robustness to adversarial examples","author":"cisse","year":"2017","journal-title":"Proc ICML"},{"key":"ref65","first-page":"6541","article-title":"Lipschitz-margin training: Scalable certification of perturbation invariance for deep neural networks","author":"tsuzuku","year":"2018","journal-title":"Proc NIPS"},{"key":"ref66","article-title":"Efficient and accurate estimation of lipschitz constants for deep neural networks","author":"fazlyab","year":"2019","journal-title":"arXiv 1906 04893"},{"key":"ref67","first-page":"1","article-title":"Provable defenses against adversarial examples via the convex outer adversarial polytope","author":"kolter","year":"2018","journal-title":"Proc ICML"},{"key":"ref68","first-page":"1","article-title":"Certified defenses against adversarial examples","author":"raghunathan","year":"2018","journal-title":"Proc ICLR"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3264418"},{"key":"ref69","first-page":"6240","article-title":"Spectrally-normalized margin bounds for neural networks","author":"bartlett","year":"2017","journal-title":"Proc NIPS"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2012.6248092"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1214\/aos\/1176344136"},{"key":"ref93","first-page":"1","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"Proc ICLR"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref91","year":"2010","journal-title":"CIFAR-10 Dataset"},{"key":"ref90","article-title":"Motivating the rules of the game for adversarial example research","author":"gilmer","year":"2018","journal-title":"arXiv 1807 06732"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/MLSP.2018.8517014"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/TSP.2006.870586"},{"key":"ref96","first-page":"571","article-title":"A mixture of experts classifier with learning based on both labelled and unlabelled data","author":"miller","year":"1997","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2016.2561288"},{"key":"ref10","first-page":"1","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc ICLR"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4757-2440-0"},{"key":"ref12","author":"breiman","year":"1984","journal-title":"Classification and Regression Trees"},{"key":"ref13","year":"1998","journal-title":"Lenet-5 convolutional neural networks"},{"key":"ref14","first-page":"1929","article-title":"Dropout: A simple way to prevent neural networks from overfitting","volume":"15","author":"srivastavanitish","year":"2014","journal-title":"J Mach Learn Res"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2014.08.081"},{"key":"ref82","first-page":"3517","article-title":"Certified defenses for data poisoning","author":"steinhardt","year":"2017","journal-title":"Proc NIPS"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/MLSP.2017.8168163"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2016.2514401"},{"key":"ref18","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"chen","year":"2017","journal-title":"arXiv 1712 05526"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/2666652.2666656"},{"key":"ref19","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","author":"tran","year":"2018","journal-title":"Proc NIPS"},{"key":"ref83","article-title":"Stronger data poisoning attacks break data sanitization defenses","author":"koh","year":"2018","journal-title":"arXiv 1811 00741"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.173"},{"key":"ref89","first-page":"1","article-title":"Prior convictions: Black-box adversarial attacks with bandits and priors","author":"ilyas","year":"2019","journal-title":"Proc ICLR"},{"key":"ref85","first-page":"1953","article-title":"Iterative learning for reliable crowdsourcing systems","author":"karger","year":"2011","journal-title":"Proc NIPS"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2014.2327026"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/2661829.2662047"}],"container-title":["Proceedings of the IEEE"],"original-title":[],"link":[{"URL":"https:\/\/ieeexplore.ieee.org\/ielam\/5\/9024148\/9013065-aam.pdf","content-type":"application\/pdf","content-version":"am","intended-application":"syndication"},{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/5\/9024148\/09013065.pdf?arnumber=9013065","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,29]],"date-time":"2022-07-29T19:32:16Z","timestamp":1659123136000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9013065\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3]]},"references-count":101,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/jproc.2020.2970615","relation":{},"ISSN":["0018-9219","1558-2256"],"issn-type":[{"value":"0018-9219","type":"print"},{"value":"1558-2256","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,3]]}}}