{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T15:33:14Z","timestamp":1775230394670,"version":"3.50.1"},"reference-count":145,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2024,4,1]],"date-time":"2024-04-01T00:00:00Z","timestamp":1711929600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2024,4,1]],"date-time":"2024-04-01T00:00:00Z","timestamp":1711929600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2024,4,1]],"date-time":"2024-04-01T00:00:00Z","timestamp":1711929600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Key R&amp;D Program of Shandong Province","award":["2021CXGC010107"],"award-info":[{"award-number":["2021CXGC010107"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62032002"],"award-info":[{"award-number":["62032002"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61932005"],"award-info":[{"award-number":["61932005"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100013314","name":"Higher Education Discipline Innovation Project","doi-asserted-by":"publisher","award":["B21049"],"award-info":[{"award-number":["B21049"]}],"id":[{"id":"10.13039\/501100013314","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Artif. Intell."],"published-print":{"date-parts":[[2024,4]]},"DOI":"10.1109\/tai.2023.3314398","type":"journal-article","created":{"date-parts":[[2023,9,12]],"date-time":"2023-09-12T13:41:37Z","timestamp":1694526097000},"page":"1533-1553","source":"Crossref","is-referenced-by-count":7,"title":["A Survey of Security Protection Methods for Deep Learning Model"],"prefix":"10.1109","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4415-0126","authenticated-orcid":false,"given":"Haipeng","family":"Peng","sequence":"first","affiliation":[{"name":"Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3889-855X","authenticated-orcid":false,"given":"Shuang","family":"Bao","sequence":"additional","affiliation":[{"name":"Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9949-8731","authenticated-orcid":false,"given":"Lixiang","family":"Li","sequence":"additional","affiliation":[{"name":"Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, China"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.4310\/MAA.2003.v10.n4.a5"},{"key":"ref2","first-page":"265","article-title":"TensorFlow: A system for Large-Scale machine learning","volume-title":"Proc. 12th USENIX Symp. Operating Syst. Des. Implementation","author":"Abadi","year":"2016"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.5555\/3454287.3455008"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2807385"},{"key":"ref5","first-page":"3517","article-title":"Certified defenses for data poisoning attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Steinhardt","year":"2017"},{"issue":"2","key":"ref6","first-page":"2373","article-title":"A survey on denial of service attacks","volume":"5","author":"Gunasekhar","year":"2014","journal-title":"Int. J. Comput. Sci. Inf. Technol."},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3034721"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241142"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2021.107096"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SMARTCOMP.2017.7946998"},{"key":"ref14","first-page":"1","article-title":"Identification of malicious activities in industrial Internet of Things based on deep learning models","volume":"41","author":"Muna","year":"2018","journal-title":"J. Inf. Secur. Appl."},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813687"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2018.2868750"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2939713"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2019.8761267"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2019.2941244"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/ICEngTechnol.2017.8308186"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2011.5947611"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2019.101552"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.11.007"},{"key":"ref26","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1016\/j.specom.2017.11.003"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/JBHI.2014.2344095"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140451"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/UBMYK48245.2019.8965459"},{"key":"ref32","first-page":"6106","article-title":"Poison frogs! Targeted clean-label poisoning attacks on neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Shafahi","year":"2018"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2962914"},{"key":"ref34","first-page":"201","article-title":"Online data poisoning attacks","volume-title":"Proc. Learn. Dyn. Control","author":"Zhang","year":"2020"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01304"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-021-06119-y"},{"key":"ref37","first-page":"12080","article-title":"MetaPoison: Practical general-purpose clean-label data poisoning","volume":"33","author":"Huang","year":"2020","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3379992"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485368"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-019-04434-z"},{"key":"ref42","article-title":"PoTrojan: Powerful neural-level trojan designs in deep learning models","author":"Zou","year":"2018"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.3390\/fi13030073"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00383"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1023\/B:AIRE.0000045502.10941.a9"},{"key":"ref46","first-page":"10859","article-title":"Robust learning for data poisoning attacks","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Wang"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-66415-2_4"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3080522"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD.2017.16"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11838"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2909068"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref57","first-page":"3454","article-title":"Input-aware dynamic backdoor attack","volume-title":"Adv. Neural Inf. Process. Syst.","volume":"33","author":"Nguyen","year":"2020"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00035"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref61","first-page":"4129","article-title":"Defense against backdoor attacks via robust covariance estimation","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Hayase"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01617"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/TCAD.2021.3111123"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3069258"},{"key":"ref65","first-page":"1901","article-title":"DRMI: A dataset reduction technology based on mutual information for black-box attacks","volume-title":"Proc. USENIX Secur. Symp.","author":"He","year":"2021"},{"key":"ref66","first-page":"1973","article-title":"Hermes attack: Steal DNN models with lossless inference accuracy","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Zhu","year":"2021"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3453688.3461512"},{"key":"ref68","first-page":"1345","article-title":"High accuracy and high fidelity extraction of neural networks","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Jagielski","year":"2020"},{"key":"ref69","first-page":"267","article-title":"The secret sharer: Evaluating and testing unintended memorization in neural networks","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Carlini","year":"2019"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_2"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00033"},{"key":"ref73","article-title":"Intriguing properties of neural networks","volume-title":"Proc. 2nd Int. Conf. Learn. Representations","author":"Szegedy","year":"2014"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2017.172"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00015"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_29"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2020.102634"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/3394486.3403225"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00765"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58542-6_3"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2022.02.025"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29959-0_4"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/iThings-GreenCom-CPSCom-SmartData-Cybermatics50389.2020.00125"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00085"},{"key":"ref87","first-page":"1937","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"Proc. USENIX Secur. Symp.","author":"Jia","year":"2021"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486863"},{"key":"ref89","article-title":"Privacy-preserving machine learning through data obfuscation","author":"Zhang","year":"2018"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2015.2470255"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00932"},{"key":"ref93","first-page":"1291","article-title":"Updates-Leak: Data set inference and reconstruction attacks in online learning","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Salem","year":"2020"},{"key":"ref94","first-page":"20","article-title":"Explaining and harnessing adversarial examples","volume-title":"stat","volume":"1050","author":"Goodfellow","year":"2015"},{"key":"ref95","article-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models","volume-title":"Proc. 6th Int. Conf. Learn. Representations","author":"Samangouei","year":"2018"},{"key":"ref96","first-page":"1829","article-title":"Defense against adversarial attacks using feature scattering-based adversarial training","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Zhang","year":"2019"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/ASP-DAC47756.2020.9045584"},{"key":"ref98","first-page":"9263","article-title":"GNNGuard: Defending graph neural networks against adversarial attacks","volume":"33","author":"Zhang","year":"2020","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1997.601338"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.5815\/ijcnis.2013.08.01"},{"key":"ref101","first-page":"109","article-title":"A study of DDoS reflection attack on Internet of Things in IPv4\/IPv6 networks","volume-title":"Proc. Comput. Sci. On-line Conf.","author":"imon","year":"2019"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.10.001"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/997150.997156"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1109\/ICSMC.2000.886455"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2006.880180"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/TAC.2019.2953210"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-019-01396-x"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2917373"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1016\/j.micpro.2020.103278"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/4729526"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00040"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0008"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/TCSS.2019.2916086"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1109\/TPSISA52974.2021.00002"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1080\/01621459.2019.1700130"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1109\/ICEIC54506.2022.9748281"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"ref120","article-title":"Reconciling utility and membership privacy via knowledge distillation","author":"Shejwalkar","year":"2019"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1145\/1609956.1609960"},{"key":"ref123","first-page":"1","article-title":"A study on remote code execution vulnerability in web applications","volume-title":"Proc. Int. Conf. Cyber Secur. Comput. Sci","author":"Biswas","year":"2018"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48987.2021.00051"},{"key":"ref126","doi-asserted-by":"crossref","DOI":"10.1016\/j.sysarc.2022.102420","volume":"125","author":"Potteiger","year":"2022","journal-title":"J. Syst. Architecture"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1145\/3458462.3458466"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313639"},{"key":"ref129","first-page":"1","article-title":"Document structure integrity: A robust basis for cross-site scripting defense","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","volume":"20","author":"Nadji","year":"2009"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-21009-0_39"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/DSC.2018.00102"},{"key":"ref132","first-page":"22","volume-title":"Proc. 5th Int. Conf. Mach. Learn. Soft Comput.","author":"Ivanova","year":"2021"},{"key":"ref133","article-title":"Software engineering practice in the development of deep learning applications","author":"Zhang","year":"2019"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM41043.2020.9155267"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/CloudTech49835.2020.9365868"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.32604\/cmc.2020.012475"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2021.3071774"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2017.02.006"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN52240.2021.9522267"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1145\/3241539.3241563"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1145\/3210240.3210337"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1109\/tii.2019.2909473"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2952146"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1145\/3386901.3388946"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2021.3050458"}],"container-title":["IEEE Transactions on Artificial Intelligence"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9078688\/10495741\/10247603.pdf?arnumber=10247603","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:09:14Z","timestamp":1755911354000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10247603\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4]]},"references-count":145,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/tai.2023.3314398","relation":{},"ISSN":["2691-4581"],"issn-type":[{"value":"2691-4581","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4]]}}}