{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,24]],"date-time":"2026-01-24T14:38:55Z","timestamp":1769265535869,"version":"3.49.0"},"reference-count":86,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833688","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1372-1389","source":"Crossref","is-referenced-by-count":26,"title":["Model Orthogonalization: Class Distance Hardening in Neural Networks for Better Security"],"prefix":"10.1109","author":[{"given":"Guanhong","family":"Tao","sequence":"first","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Yingqi","family":"Liu","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Guangyu","family":"Shen","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Qiuling","family":"Xu","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Shengwei","family":"An","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Zhuo","family":"Zhang","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]},{"given":"Xiangyu","family":"Zhang","sequence":"additional","affiliation":[{"name":"Purdue University,Department of Computer Science"}]}],"member":"263","reference":[{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46475-6_53"},{"key":"ref57","article-title":"Badnl: Backdoor attacks against nlp models","author":"chen","year":"2020","journal-title":"arXiv preprint arXiv 2006 01997"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3339815"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00022"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-34166-3_46"},{"key":"ref59","article-title":"A target-agnostic attack on deep models: Exploiting security vulnerabilities of transfer learning","author":"rezaei","year":"2020","journal-title":"ICLRE"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2019.00012"},{"key":"ref58","article-title":"Weight poisoning attacks on pre-trained models","author":"kurita","year":"2020","journal-title":"ACL"},{"key":"ref53","article-title":"Fast is better than free: Revisiting adversarial training","author":"wong","year":"2020","journal-title":"ICLRE"},{"key":"ref52","article-title":"Learning from delayed rewards","author":"watkins","year":"1989"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00076"},{"key":"ref55","article-title":"Input-aware dynamic backdoor attack","volume":"33","author":"nguyen","year":"2020","journal-title":"NeurIPS"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref54","article-title":"Abs","year":"0"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_20"},{"key":"ref18","article-title":"Defending neural backdoors via generative distribution modeling","author":"qiao","year":"2019","journal-title":"NeurIPS"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1023\/A:1013689704352"},{"key":"ref50","article-title":"Boundary thickness and robustness in learning models","author":"yang","year":"2020","journal-title":"NeurIPS"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i2.16201"},{"key":"ref45","article-title":"Dynamic backdoor attacks against machine learning models","author":"salem","year":"2020","journal-title":"arXiv preprint arXiv 2003"},{"key":"ref48","article-title":"Do adversarially robust imagenet models transfer better?","author":"salman","year":"2020","journal-title":"NeurIPS"},{"key":"ref47","article-title":"Keras Applications","year":"0"},{"key":"ref42","article-title":"TrojAI Leaderboard","year":"0"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423362"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref85","article-title":"Reflection backdoor: A natural backdoor attack on deep neural networks","author":"liu","year":"0"},{"key":"ref44","article-title":"Moth","year":"0"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.6017"},{"key":"ref49","article-title":"Large margin deep networks for classification","author":"elsayed","year":"2018","journal-title":"NeurIPS"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01445"},{"key":"ref7","first-page":"7614","article-title":"Transferable clean-label poisoning attacks on deep neural nets","author":"zhu","year":"2019","journal-title":"ICML"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423362"},{"key":"ref3","article-title":"Reflection backdoor: A natural backdoor attack on deep neural networks","author":"liu","year":"2020","journal-title":"ECCV"},{"key":"ref6","article-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks","author":"shafahi","year":"2018","journal-title":"NeurIPS"},{"key":"ref5","article-title":"Blind backdoors in deep learning models","author":"bagdasaryan","year":"2020","journal-title":"arXiv preprint arXiv 2005 03915"},{"key":"ref82","first-page":"3213","article-title":"The cityscapes dataset for semantic urban scene understanding","author":"cordts","year":"2016","journal-title":"CVPR"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1177\/0278364913491297"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1049\/iet-cvi.2010.0040"},{"key":"ref80","article-title":"Mobilenets: Efficient convolutional neural networks for mobile vision applications","author":"howard","year":"2017","journal-title":"arXiv preprint arXiv 1704 04861"},{"key":"ref35","article-title":"Robust anomaly detection and backdoor attack detection via differential privacy","author":"du","year":"2019","journal-title":"ICLRE"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.308"},{"key":"ref34","article-title":"Poison as a cure: Detecting & neutralizing variable-sized backdoor attacks in deep neural networks","author":"chan","year":"2019","journal-title":"arXiv preprint arXiv 1911 08105"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"ref37","article-title":"Strong data augmentation sanitizes poisoning and backdoor attacks without an accuracy tradeoff","author":"borgnia","year":"2020","journal-title":"arXiv preprint arXiv 2011 09137"},{"key":"ref36","article-title":"Fine-pruning: Defending against backdooring attacks on deep neural networks","author":"liu","year":"2018","journal-title":"RAID"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref75","article-title":"Very deep convolutional networks for large-scale image recognition","author":"simonyan","year":"2014","journal-title":"arXiv preprint arXiv 1409 1556"},{"key":"ref30","article-title":"Neural trojans","author":"liu","year":"2017","journal-title":"ICCD"},{"key":"ref74","article-title":"Network in network","author":"lin","year":"2013","journal-title":"arXiv preprint arXiv 1312 4400"},{"key":"ref33","article-title":"Detecting backdoors in neural networks using novel feature-based anomaly detection","author":"fu","year":"2020","journal-title":"arXiv preprint arXiv 2011 05151"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref32","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","author":"tran","year":"2018","journal-title":"NeurIPS"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/TITS.2012.2209421"},{"key":"ref2","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"chen","year":"2017","journal-title":"arXiv preprint arXiv 1712 05526"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref39","article-title":"Neural attention distillation: Erasing backdoor triggers from deep neural networks","author":"li","year":"2021","journal-title":"ICLRE"},{"key":"ref38","article-title":"Deepsweep: An evaluation framework for mitigating dnn backdoor attacks using data augmentation","author":"zeng","year":"0","journal-title":"2012 arXiv preprint arXiv"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref70","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tram\u00e9r","year":"2018","journal-title":"ICLRE"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref72","first-page":"2755","article-title":"Universal adversarial perturbations against semantic image segmentation","author":"hendrik metzen","year":"2017","journal-title":"ICCV"},{"key":"ref24","article-title":"Nnoculation: broad spectrum and targeted treatment of backdoored dnns","author":"veldanda","year":"0","journal-title":"arXiv preprint arXiv 2002 08046"},{"key":"ref68","article-title":"Adversarial training for free!","author":"shafahi","year":"2019","journal-title":"NeurIPS"},{"key":"ref23","article-title":"Neuroninspect: Detecting backdoors in neural networks via output explanations","author":"huang","year":"2019","journal-title":"arXiv preprint arXiv 1911 07596"},{"key":"ref67","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"ICLRE"},{"key":"ref26","article-title":"Demon in the variant: Statistical analysis of dnns for robust backdoor contamination detection","author":"tang","year":"2021","journal-title":"Usenix Security"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23415"},{"key":"ref69","article-title":"Adversarial machine learning at scale","author":"kurakin","year":"2017","journal-title":"ICLRE"},{"key":"ref20","article-title":"Cassandra: Detecting trojaned networks from adversarial perturbations","author":"zhang","year":"2020","journal-title":"arXiv preprint arXiv 2007 14638"},{"key":"ref64","first-page":"480","article-title":"Data poisoning attacks against federated learning systems","author":"tolpegin","year":"2020","journal-title":"ESORICS"},{"key":"ref63","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","author":"wang","year":"2020","journal-title":"NeurIPS"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM50108.2020.00025"},{"key":"ref66","article-title":"Local model poisoning attacks to byzantine-robust federated learning","author":"fang","year":"2020","journal-title":"Usenix Security"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_14"},{"key":"ref65","first-page":"2938","article-title":"How to backdoor federated learning","author":"bagdasaryan","year":"2020","journal-title":"AISTATS"},{"key":"ref28","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"chen","year":"0","journal-title":"arXiv preprint arXiv 1811 03728"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref29","article-title":"Rethinking the trigger of backdoor attack","author":"li","year":"2020","journal-title":"arXiv preprint arXiv 2004 00493"},{"key":"ref60","first-page":"1281","article-title":"With great training comes great vulnerability: Practical attacks against transfer learning","author":"wang","year":"2018","journal-title":"Usenix Security"},{"key":"ref62","article-title":"Dba: Distributed backdoor attacks against federated learning","author":"xie","year":"2019","journal-title":"ICLRE"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833688.pdf?arnumber=9833688","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,8]],"date-time":"2023-11-08T23:18:53Z","timestamp":1699485533000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833688\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":86,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833688","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}