{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T04:30:29Z","timestamp":1772080229017,"version":"3.50.1"},"reference-count":108,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179446","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T13:18:15Z","timestamp":1689945495000},"page":"1875-1892","source":"Crossref","is-referenced-by-count":4,"title":["ADI: Adversarial Dominating Inputs in Vertical Federated Learning Systems"],"prefix":"10.1109","author":[{"given":"Qi","family":"Pang","sequence":"first","affiliation":[{"name":"Carnegie Mellon University"}]},{"given":"Yuanyuan","family":"Yuan","sequence":"additional","affiliation":[{"name":"HKUST"}]},{"given":"Shuai","family":"Wang","sequence":"additional","affiliation":[{"name":"HKUST"}]},{"given":"Wenting","family":"Zheng","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Credit Dataset"},{"key":"ref2","volume-title":"CrypTen"},{"key":"ref3","volume-title":"PySyft"},{"key":"ref4","volume-title":"Research artifact"},{"key":"ref5","volume-title":"TensorFlow Federated: Machine Learning on Decentralized Data"},{"key":"ref6","volume-title":"Vehicle"},{"key":"ref7","volume-title":"Visual Question Answering in the Medical Domain"},{"key":"ref8","year":"2020","journal-title":"FATE: An industrial grade federated learning framework"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2021.115782"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.279"},{"key":"ref11","article-title":"Synthesizing robust adversarial examples","author":"Athalye","year":"2018","journal-title":"ICML"},{"key":"ref12","article-title":"How to backdoor federated learning","author":"Bagdasaryan","year":"2018","journal-title":"AISTATS"},{"key":"ref13","article-title":"Clustering effect of adversarial robust models","author":"Bai","year":"2021","journal-title":"NeurIPS"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/2168836.2168865"},{"key":"ref15","article-title":"Mutual information neural estimation","author":"Belghazi","year":"2018","journal-title":"ICML"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417885"},{"key":"ref17","article-title":"Analyzing federated learning through an adversarial lens","author":"Bhagoji","year":"2019","journal-title":"ICML"},{"key":"ref18","article-title":"Towards federated learning at scale: System design","author":"Bonawitz","year":"2019","journal-title":"arXiv preprint"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456233"},{"key":"ref21","article-title":"Towards taming the resource and data heterogeneity in federated learning","author":"Chai","year":"2019","journal-title":"{USENIX} OpML"},{"key":"ref22","article-title":"Universal adversarial perturbations: A survey","author":"Chaubey","year":"2020","journal-title":"arXiv preprint"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2021.3082561"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/1646396.1646452"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/2901318.2901323"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9415026"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.2307\/2984875"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM42981.2021.9488743"},{"key":"ref30","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2019","journal-title":"NAACL"},{"key":"ref31","volume-title":"The principles of quantum mechanics","volume":"27","author":"Adrien","year":"1981"},{"key":"ref32","article-title":"Local model poisoning attacks to byzantine-robust federated learning","author":"Fang","year":"2020","journal-title":"{USENIX} Security"},{"key":"ref33","article-title":"One-shot learning of object categories","author":"Fei-Fei","year":"2006","journal-title":"IEEE TPAMI"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.371"},{"key":"ref35","article-title":"Label inference attacks against vertical federated learning","author":"Fu","year":"2022","journal-title":"{USENIX} Security"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.29007\/qfmh"},{"key":"ref37","article-title":"The limitations of federated learning in sybil settings","author":"Fung","year":"2020","journal-title":"RAID"},{"key":"ref38","article-title":"Secure multi-party computation","volume":"78","author":"Goldreich","year":"1998","journal-title":"Manuscript. Preliminary version"},{"key":"ref39","volume-title":"Deep learning","volume":"1","author":"Goodfellow","year":"2016"},{"key":"ref40","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014","journal-title":"arXiv preprint"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.670"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-71584-9"},{"key":"ref43","article-title":"Simple black-box adversarial attacks","author":"Guo","year":"2019","journal-title":"ICML"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.05.003"},{"key":"ref45","article-title":"Federated learning for mobile keyboard prediction","author":"Hard","year":"2018","journal-title":"arXiv preprint"},{"key":"ref46","article-title":"Private federated learning on vertically partitioned data via entity resolution and additively homomorphic encryption","author":"Hardy","year":"2017","journal-title":"arXiv preprint"},{"key":"ref47","article-title":"Fedml: A research library and benchmark for federated machine learning","author":"He","year":"2020","journal-title":"arXiv preprint"},{"key":"ref48","article-title":"Teaching machines to read and comprehend","author":"Moritz Hermann","year":"2015","journal-title":"arXiv preprint"},{"key":"ref49","article-title":"Learning deep representations by mutual information estimation and maximization","author":"Hjelm","year":"2018","journal-title":"arXiv preprint"},{"key":"ref50","article-title":"Blackbox adversarial attacks with limited queries and information","author":"Ilyas","year":"2018","journal-title":"ICML"},{"key":"ref51","author":"Krizhevsky","year":"2009","journal-title":"Learning multiple layers of features from tiny images"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref53","article-title":"Deep neural networks as gaussian processes","author":"Lee","year":"2017","journal-title":"arXiv preprint"},{"key":"ref54","article-title":"Communication efficient distributed machine learning with the parameter server","author":"Li","year":"2014","journal-title":"NeurIPS"},{"key":"ref55","article-title":"Fair resource allocation in federated learning","author":"Li","year":"2019","journal-title":"arXiv preprint"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58577-8_8"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10602-1_48"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6824"},{"key":"ref59","article-title":"Backdoor attacks and defenses in feature-partitioned collaborative learning","author":"Liu","year":"2020","journal-title":"arXiv preprint"},{"key":"ref60","article-title":"Hierarchical question-image co-attention for visual question answering","author":"Lu","year":"2016","journal-title":"arXiv preprint"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/TENCON.2019.8929456"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3302424.3303986"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/icde51399.2021.00023"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/ICDE51399.2021.00023"},{"key":"ref65","first-page":"281","article-title":"Classification and analysis of multivariate observations","volume-title":"5th Berkeley Symp. Math. Statist. Probability","author":"MacQueen","year":"1967"},{"key":"ref66","article-title":"Adversarial autoencoders","author":"Makhzani","year":"2015","journal-title":"arXiv preprint"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/CyberC.2019.00018"},{"key":"ref68","volume-title":"Mixture models: Inference and applications to clustering","volume":"38","author":"McLachlan","year":"1988"},{"key":"ref69","article-title":"Communication-efficient learning of deep networks from decentralized data","author":"McMahan","year":"2017","journal-title":"AISTATS"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref71","article-title":"Simple black-box adversarial perturbations for deep networks","author":"Narodytska","year":"2016","journal-title":"arXiv preprint"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref73","article-title":"Entity resolution and federated learning get a federated resolution","author":"Nock","year":"2018","journal-title":"arXiv preprint"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/TWC.2020.2971981"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132785"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3190508.3190517"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/tsp.2022.3153135"},{"key":"ref78","article-title":"Scaling up: Distributed machine learning with cooperation","author":"Provost","year":"1996","journal-title":"AAAI\/IAAI"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/tpami.2016.2577031"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/1247480.1247553"},{"key":"ref81","article-title":"Learning important features through propagating activation differences","author":"Shrikumar","year":"2017","journal-title":"ICML"},{"key":"ref82","article-title":"Collaborative machine learning with incentive-aware model rewards","author":"Hwee","year":"2020","journal-title":"ICML"},{"key":"ref83","article-title":"Very deep convolutional networks for large-scale image recognition","author":"Simonyan","year":"2015","journal-title":"ICLR"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/BigData47090.2019.9006327"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.29007\/21r5"},{"key":"ref86","article-title":"Hybrid batch attacks: Finding black-box adversarial examples with limited queries","author":"Suya","year":"2020","journal-title":"{USENIX} Security"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467403"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/BigData47090.2019.9006344"},{"key":"ref90","article-title":"Ensemble adversarial training: Attacks and defenses","author":"Tram\u00e8r","year":"2017","journal-title":"arXiv preprint"},{"key":"ref91","article-title":"Robustness may be at odds with accuracy","author":"Tsipras","year":"2018","journal-title":"ICLR"},{"key":"ref92","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","author":"Wang","year":"2020","journal-title":"NeurIPS"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456229"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"ref95","article-title":"Privacy leakage of real-world vertical federated learning","author":"Weng","year":"2020","journal-title":"arXiv preprint"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23052"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.14778\/3407790.3407811"},{"key":"ref98","article-title":"A vertical federated learning framework for horizontally partitioned labels","author":"Xia","year":"2021","journal-title":"arXiv preprint"},{"key":"ref99","article-title":"Dba: Distributed backdoor attacks against federated learning","author":"Xie","year":"2019","journal-title":"ICLR"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330579"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1145\/3298981"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2017.2676898"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3375627.3375840"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378484"},{"key":"ref105","volume-title":"American Fuzzy Lop","author":"Zalewski","year":"2021"},{"key":"ref106","article-title":"A comprehensive survey of incentive mechanism for federated learning","author":"Zeng","year":"2021","journal-title":"arXiv preprint"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.2967772"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/34.537343"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179446.pdf?arnumber=10179446","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T07:32:00Z","timestamp":1771486320000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179446\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":108,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179446","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}