{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T18:29:39Z","timestamp":1772908179982,"version":"3.50.1"},"reference-count":66,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833693","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"787-804","source":"Crossref","is-referenced-by-count":56,"title":["SoK: How Robust is Image Classification Deep Neural Network Watermarking?"],"prefix":"10.1109","author":[{"given":"Nils","family":"Lukas","sequence":"first","affiliation":[{"name":"University of Waterloo,Waterloo,Canada"}]},{"given":"Edward","family":"Jiang","sequence":"additional","affiliation":[{"name":"University of Waterloo,Waterloo,Canada"}]},{"given":"Xinda","family":"Li","sequence":"additional","affiliation":[{"name":"University of Waterloo,Waterloo,Canada"}]},{"given":"Florian","family":"Kerschbaum","sequence":"additional","affiliation":[{"name":"University of Waterloo,Waterloo,Canada"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.5244\/C.29.41"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.713"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00552"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2019.02.010"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/TITS.2017.2714691"},{"key":"ref6","volume-title":"Cleaning big data: Most time-consuming, least enjoyable data science task, survey says","year":"2016"},{"key":"ref7","volume-title":"Thieves on sesame street! model extraction of bert-based apis","author":"Krishna","year":"2020"},{"key":"ref8","article-title":"Bert: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018","journal-title":"arXiv preprint arXiv:1810.04805"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref10","first-page":"1345","article-title":"High accuracy and high fidelity extraction of neural networks","volume-title":"29th {USENIX} Security Symposium ({USENIX} Security 20)","author":"Jagielski"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-56877-1_7"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-62144-5_4"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref14","article-title":"Deepsigns: A generic watermarking framework for ip protection of deep learning models","author":"Rouhani","year":"2018","journal-title":"arXiv preprint arXiv:1804.00750"},{"key":"ref15","first-page":"1615","article-title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","volume-title":"27th {USENIX} Security Symposium ({USENIX} Security 18)","author":"Adi"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"ref17","article-title":"On the robustness of the backdoor-based watermarking in deep neural networks","author":"Shafieinejad","year":"2019","journal-title":"arXiv preprint arXiv:1906.07745"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR48806.2021.9412684"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2019.8682202"},{"key":"ref20","article-title":"To prune, or not to prune: exploring the efficacy of pruning for model compression","author":"Zhu","year":"2017","journal-title":"arXiv preprint arXiv:1710.01878"},{"key":"ref21","article-title":"Distilling the knowledge in a neural network","author":"Hinton","year":"2015","journal-title":"arXiv preprint arXiv:1503.02531"},{"key":"ref22","article-title":"Deepmarks: a digital fingerprinting framework for deep neural networks","author":"Chen","year":"2018","journal-title":"arXiv preprint arXiv:1804.03648"},{"key":"ref23","article-title":"Blackmarks: Black-box multibit watermarking for deep neural networks","author":"Chen","year":"2019","journal-title":"arXiv preprint arXiv:1904.00344"},{"key":"ref24","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"30th {USENIX} Security Symposium ({USENIX} Security 21) (to appear)","author":"Jia"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-019-04434-z"},{"key":"ref26","article-title":"Dawn: Dynamic adversarial watermarking of neural networks","author":"Szyller","year":"2019","journal-title":"arXiv preprint arXiv:1906.00830"},{"key":"ref27","volume-title":"Cifar-10 (canadian institute for advanced research)","author":"Krizhevsky"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref29","first-page":"T2","article-title":"Learning transferable visual models from natural language supervision","volume":"2","author":"Radford","journal-title":"Image"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833693"},{"key":"ref31","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014","journal-title":"arXiv preprint arXiv:1412.6572"},{"key":"ref32","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013","journal-title":"arXiv preprint arXiv:1312.6199"},{"key":"ref33","article-title":"Piracy resistant watermarks for deep neural networks","author":"Li","year":"2019","journal-title":"arXiv preprint arXiv:1910.01226"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102277"},{"key":"ref36","first-page":"601","article-title":"Stealing machine learning models via prediction apis","volume-title":"25th {USENIX} Security Symposium ({USENIX} Security 16)","author":"Tram\u00e8r"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-60566-766-9.ch011"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"ref41","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry","year":"2017","journal-title":"arXiv preprint arXiv:1706.06083"},{"key":"ref42","article-title":"Defensive quantization: When efficiency meets robustness","author":"Lin","year":"2019","journal-title":"arXiv preprint arXiv:1904.08444"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"ref44","article-title":"A study of the effect of jpg compression on adversarial images","author":"Dziugaite","year":"2016","journal-title":"arXiv preprint arXiv:1608.00853"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140449"},{"key":"ref46","article-title":"Invert and defend: Model-based approximate inversion of generative adversarial networks for secure inference","author":"Lin","year":"2019","journal-title":"arXiv preprint arXiv:1911.10291"},{"issue":"1","key":"ref47","first-page":"6869","article-title":"Quantized neural networks: Training neural networks with low precision weights and activations","volume":"18","author":"Hubara","year":"2017","journal-title":"The Journal of Machine Learning Research"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.308"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-020-01316-z"},{"key":"ref50","article-title":"The space of transferable adversarial examples","author":"Tram\u00e8r","year":"2017","journal-title":"arXiv preprint arXiv:1704.03453"},{"key":"ref51","first-page":"8024","article-title":"Pytorch: An imperative style, high-performance deep learning library","author":"Paszke","year":"2019","journal-title":"Advances in Neural Information Processing Systems 32"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.5244\/C.30.87"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"issue":"101","key":"ref55","first-page":"102","article-title":"Dawnbench: An end-to-end deep learning benchmark and competition","volume":"100","author":"Coleman","year":"2017","journal-title":"Training"},{"issue":"2","key":"ref56","first-page":"8","article-title":"Big transfer (bit): General visual representation learning","volume":"6","author":"Kolesnikov","year":"2019","journal-title":"arXiv preprint arXiv:1912.11370"},{"key":"ref57","article-title":"Deep neural network fingerprinting by conferrable adversarial examples","volume-title":"International Conference on Learning Representations","author":"Lukas"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1162\/089976699300016557"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1126\/science.aab3050"},{"issue":"2011","key":"ref60","first-page":"1","article-title":"Sparse autoencoder","volume":"72","author":"Ng","year":"2011","journal-title":"CS294A Lecture notes"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46493-038"},{"key":"ref62","article-title":"Very deep convolutional networks for large-scale image recognition","author":"Simonyan","year":"2014","journal-title":"arXiv preprint arXiv:1409.1556"},{"key":"ref63","article-title":"Squeezenet: Alexnet-level accuracy with 50x fewer parameters and! 0.5 mb model size","author":"Iandola","year":"2016","journal-title":"arXiv preprint arXiv:1602.07360"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.4324\/9781410605337-29"},{"key":"ref65","first-page":"1097","article-title":"Imagenet classification with deep convolutional neural networks","volume":"25","author":"Krizhevsky","year":"2012","journal-title":"Advances in neural information processing systems"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833693.pdf?arnumber=9833693","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T00:50:20Z","timestamp":1705020620000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833693\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":66,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833693","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}