{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T15:47:05Z","timestamp":1781797625995,"version":"3.54.5"},"reference-count":216,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,2,1]],"date-time":"2025-02-01T00:00:00Z","timestamp":1738368000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Sichuan Science and Technology Department Key Research and Development Program","award":["2024YFG0003"],"award-info":[{"award-number":["2024YFG0003"]}]},{"name":"Sichuan Science and Technology Program","award":["2024ZDZX0007"],"award-info":[{"award-number":["2024ZDZX0007"]}]},{"name":"Zhejiang Lab OpenResearch Project","award":["K2022PDOAB06"],"award-info":[{"award-number":["K2022PDOAB06"]}]},{"name":"Open Fund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province","award":["SKLACSS-202403"],"award-info":[{"award-number":["SKLACSS-202403"]}]},{"name":"Chengdu University of Information Technology 2022 Annual Research Initiation Project","award":["KYTZ2022107"],"award-info":[{"award-number":["KYTZ2022107"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Comput. Soc. Syst."],"published-print":{"date-parts":[[2025,2]]},"DOI":"10.1109\/tcss.2024.3482723","type":"journal-article","created":{"date-parts":[[2024,11,5]],"date-time":"2024-11-05T18:34:26Z","timestamp":1730831666000},"page":"404-434","source":"Crossref","is-referenced-by-count":21,"title":["Backdoor Attack and Defense on Deep Learning: A Survey"],"prefix":"10.1109","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2475-4232","authenticated-orcid":false,"given":"Yang","family":"Bai","sequence":"first","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7040-8919","authenticated-orcid":false,"given":"Gaojie","family":"Xing","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-0115-9753","authenticated-orcid":false,"given":"Hongyan","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-0140-8780","authenticated-orcid":false,"given":"Zhihong","family":"Rao","sequence":"additional","affiliation":[{"name":"30th Institute of Electronics Technology Group, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6198-9498","authenticated-orcid":false,"given":"Chuan","family":"Ma","sequence":"additional","affiliation":[{"name":"School of Computer Science, Chongqing University, Chongqing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5195-9682","authenticated-orcid":false,"given":"Shiping","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Computer and Data Science and the Fujian Provincial Key Laboratory of Network Computing and Intelligent Information Processing, Fuzhou University, Fuzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8510-4025","authenticated-orcid":false,"given":"Xiaolei","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Computer Application, China Academy of Engineering Physics, Mianyang, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8692-9635","authenticated-orcid":false,"given":"Yimin","family":"Zhou","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-5321-5258","authenticated-orcid":false,"given":"Jiajia","family":"Tang","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-7368-8862","authenticated-orcid":false,"given":"Kaijun","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9533-8539","authenticated-orcid":false,"given":"Jiale","family":"Kang","sequence":"additional","affiliation":[{"name":"School of Cybersecurity (Xin Gu Industrial College), and SUGON Industrial Control and Security Center, Chengdu University of Information Technology, Chengdu, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2021.100379"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2015.09.116"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2020.2979670"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3178115"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2020.10.081"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/s10462-019-09794-5"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2021.3059968"},{"key":"ref8","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484576"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00022"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485837"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.02357"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref14","article-title":"Backdoor embedding in convolutional neural network models via invisible perturbation","author":"Liao","year":"2018"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.3390\/app12125786"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.21437\/interspeech.2020-1294"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9413468"},{"key":"ref18","first-page":"57","article-title":"Can you hear it? Backdoor attacks via ultrasonic triggers","volume-title":"Proc. ACM Workshop Wireless Secur. Mach. Learn.","author":"Koffas","year":"2022"},{"key":"ref19","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Bagdasaryan","year":"2020"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23156"},{"key":"ref21","first-page":"16070","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","volume":"33","author":"Wang","year":"2020","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref25","article-title":"Spectral signatures in backdoor attacks","volume":"31","author":"Tran","year":"2018","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref26","article-title":"Neural attention distillation: Erasing backdoor triggers from deep neural networks","author":"Li","year":"2021"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/QRS57517.2022.00086"},{"key":"ref28","article-title":"Backdoor learning for NLP: Recent advances, challenges, and future research directions","author":"Omar","year":"2023"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/OJCS.2023.3267221"},{"key":"ref30","article-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review","author":"Gao","year":"2020"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/OJSP.2022.3190213"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3182979"},{"key":"ref33","first-page":"5009","article-title":"A unified evaluation of textual backdoor learning: Frameworks and benchmarks","volume":"35","author":"Cui","year":"2022","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1163\/1574-9347_dnp_e1128020"},{"key":"ref35","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","volume-title":"Proc. Artif. Intell. Statist.","author":"McMahan","year":"2017"},{"key":"ref36","first-page":"634","article-title":"Analyzing federated learning through an adversarial lens","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Bhagoji","year":"2019"},{"key":"ref37","article-title":"DBA: Distributed backdoor attacks against federated learning","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xie","year":"2019"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM58522.2023.00013"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/sp54263.2024.00008"},{"key":"ref40","article-title":"Backdoor federated learning by poisoning backdoor-critical layers","author":"Zhuang","year":"2023"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-56991-8_32"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.2743240"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i10.29052"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2021\/509"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218663"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3207429"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.3004555"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2020.3000900"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00246"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.3390\/app122412564"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1016\/j.isatra.2023.03.034"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1038\/s41586-021-03583-3"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/ICCUBEA.2018.8697857"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01615"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3021407"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"ref58","article-title":"Label-consistent backdoor attacks","author":"Turner","year":"2019"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.02021"},{"key":"ref60","article-title":"Explainability matters: Backdoor attacks on medical imaging","author":"Nwadike","year":"2020"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.3390\/app11209556"},{"key":"ref62","article-title":"Influencer backdoor attack on semantic segmentation","author":"Lan","year":"2023"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.acl-main.249"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.naacl-main.165"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/2938386"},{"key":"ref66","first-page":"3611","article-title":"Hidden trigger backdoor attack on $\\{$NLP$\\}$ models via linguistic style manipulation","volume-title":"Proc. 31st USENIX Secur. Symp. (USENIX Secur. 22)","author":"Pan","year":"2022"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.165"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.23238"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.emnlp-main.642"},{"key":"ref70","article-title":"Badchain: Backdoor chain-of-thought prompting for large language models","author":"Xiang","year":"2024"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00423"},{"key":"ref73","article-title":"Badedit: Backdooring large language models by model editing","author":"Li","year":"2024"},{"key":"ref74","article-title":"TrojFM: Resource-efficient backdoor attacks against very large foundation models","author":"Nie","year":"2024"},{"key":"ref75","first-page":"1132","article-title":"Neural polarizer: A lightweight and effective backdoor defense via purifying poisoned features","volume":"36","author":"Zhu","year":"2024","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref76","article-title":"Sleeper agents: Training deceptive llms that persist through safety training","author":"Hubinger","year":"2024"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52733.2024.02327"},{"key":"ref78","article-title":"Test-time backdoor attacks on multimodal large language models","author":"Lu","year":"2024"},{"key":"ref79","article-title":"VL-Trojan: Multimodal instruction backdoor attacks against autoregressive visual language models","author":"Liang","year":"2024"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3404885"},{"key":"ref81","first-page":"396","article-title":"BadDet: Backdoor attacks on object detection","volume-title":"Proc. Eur. Conf. Comput. Vis","author":"Chan","year":"2022"},{"key":"ref82","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2023.109512"},{"key":"ref84","article-title":"Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency","author":"Guo","year":"2023"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00024"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2019.8802997"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583392"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00614"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833644"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/TCSS.2023.3267094"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01179"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583348"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref95","first-page":"1523","article-title":"Graph backdoor","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Secur. 21)","author":"Xi","year":"2021"},{"key":"ref96","first-page":"2671","article-title":"A data-free backdoor injection approach in neural networks","volume-title":"32nd USENIX Secur. Symp. (USENIX Secur. 23)","author":"Lv","year":"2023"},{"key":"ref97","first-page":"18944","article-title":"Backdoor attack with imperceptible input and latent modification","volume":"34","author":"Doan","year":"2021","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP53844.2022.00049"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1007\/s11633-022-1377-5"},{"key":"ref100","first-page":"3454","article-title":"Input-aware dynamic backdoor attack","volume":"33","author":"Nguyen","year":"2020","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423362"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00391"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01175"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1109\/COINS57856.2023.10189281"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2023.119743"},{"key":"ref106","first-page":"244","article-title":"Deepvenom: Persistent dnn backdoors exploiting transient weight perturbations in memories","volume-title":"Proc. IEEE Symp. Secur. Privacy (SP)","author":"Yao","year":"2024"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30131"},{"key":"ref108","first-page":"6712","article-title":"Chameleon: Adapting to peer images for planting durable backdoors in federated learning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Dai","year":"2023"},{"key":"ref109","article-title":"Watch out for your agents! investigating backdoor threats to llm-based agents","author":"Yang","year":"2024"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-naacl.94"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00750"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3314792"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW63382.2024.00348"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/3570361.3613261"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3328253"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2941376"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24287"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30099"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i4.28104"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i3.27954"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19778-9_23"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.acl-long.37"},{"key":"ref123","article-title":"Wanet\u2013imperceptible warping-based backdoor attack","author":"Nguyen","year":"2021"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01445"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i3.28019"},{"key":"ref126","article-title":"Generalization bound and new algorithm for clean-label backdoor attack","author":"Yu","year":"2024"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM42981.2021.9488902"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS51616.2021.00086"},{"key":"ref129","first-page":"40786","article-title":"Bird: generalizable backdoor detection and removal for deep reinforcement learning","volume":"36","author":"Chen","year":"2023","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3312973"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3297056"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3055844"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i1.27780"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01458"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3103064"},{"key":"ref136","first-page":"15","article-title":"MM-BD: Post-training detection of backdoor attacks with arbitrary backdoor pattern types using a maximum margin statistic","volume-title":"Proc. IEEE Symp. Secur. Privacy (SP)","author":"Wang","year":"2023"},{"key":"ref137","first-page":"2725","article-title":"$\\{$ASSET$\\}$: Robust backdoor data detection across a multiplicity of deep learning paradigms","volume-title":"Proc. 32nd USENIX Secur. Symp. (USENIX Secur.)","author":"Pan","year":"2023"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2023.03.112"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.23069"},{"key":"ref140","article-title":"PSBD: Prediction shift uncertainty unlocks backdoor detection","author":"Li","year":"2024"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1145\/3639828"},{"key":"ref142","article-title":"Ufid: A unified framework for input-level backdoor detection on diffusion models","author":"Guan","year":"2024"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01178"},{"key":"ref144","article-title":"Onion: A simple and effective defense against textual backdoor attacks","author":"Qi","year":"2020"},{"key":"ref145","first-page":"9727","article-title":"Effective backdoor defense by exploiting sensitivity of poisoned samples","volume":"35","author":"Chen","year":"2022","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2023.03.052"},{"key":"ref147","first-page":"4129","article-title":"Spectre: Defending against backdoor attacks using robust covariance estimation","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Hayase","year":"2020"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01569"},{"key":"ref149","article-title":"IBD-PSC: Input-level backdoor detection via parameter-oriented scaling consistency","author":"Hou","year":"2024"},{"key":"ref150","first-page":"57887","article-title":"SHINE: Shielding backdoors in deep reinforcement learning","volume-title":"Proc. 41st Int. Conf. Mach. Learn., ser. Proc. Mach. Learn. Res.","volume":"235","author":"Yuan","year":"2024"},{"key":"ref151","article-title":"Aeva: Black-box backdoor detection using adversarial extreme value analysis","author":"Guo","year":"2021"},{"key":"ref152","article-title":"Top: Backdoor detection in neural networks via transferability of perturbation","author":"Huster","year":"2021"},{"key":"ref153","first-page":"2883","article-title":"Neural network semantic backdoor detection and mitigation: A causality-based approach","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Sun","year":"2024"},{"key":"ref154","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_20"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3201586"},{"key":"ref156","first-page":"35892","article-title":"TERD: A unified framework for safeguarding diffusion models against backdoors","volume-title":"Proc. 41st Int. Conf. Mach. Learn., ser. Proc. Mach. Learn. Res.","volume":"235","author":"Mo","year":"2024"},{"key":"ref157","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM50108.2020.00025"},{"key":"ref158","article-title":"Rethinking the trigger of backdoor attack","author":"Li","year":"2020"},{"key":"ref159","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2022.3159784"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00784"},{"key":"ref161","first-page":"2255","article-title":"$\\{$T-Miner$\\}$: A generative approach to defend against trojan attacks on $\\{$DNN-based$\\}$ text classification","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Secur. 21)","author":"Azizi","year":"2021"},{"key":"ref162","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.04.105"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30186"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01176"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref166","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01617"},{"key":"ref167","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453108"},{"key":"ref168","article-title":"Mitigating backdoor attacks in federated learning","author":"Wu","year":"2020"},{"key":"ref169","article-title":"Can you really backdoor federated learning?","author":"Sun","year":"2019"},{"key":"ref170","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i8.16849"},{"key":"ref171","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2022.118990"},{"key":"ref172","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-20065-6_11"},{"key":"ref173","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref174","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179451"},{"key":"ref175","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103366"},{"key":"ref176","first-page":"27439","article-title":"Purifying quantization-conditioned backdoors via layer-wise activation correction with distribution approximation","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","author":"Li","year":"2024"},{"key":"ref177","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i19.30183"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i13.29385"},{"key":"ref179","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427264"},{"key":"ref180","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN48605.2020.9207291"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.1109\/access.2021.3086529"},{"key":"ref182","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"Chen","year":"2018"},{"key":"ref183","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49357.2023.10095007"},{"key":"ref184","article-title":"Backdoor defense via decoupling the training process","author":"Huang","year":"2022"},{"key":"ref185","first-page":"36396","article-title":"Training with more confidence: Mitigating injected and natural backdoors during training","volume":"35","author":"Wang","year":"2022","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref186","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume":"34","author":"Li","year":"2021","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref187","first-page":"19837","article-title":"Reconstructive neuron pruning for backdoor defense","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Li","year":"2023"},{"key":"ref188","first-page":"61108\u201361120,","article-title":"Defense against backdoor attack on pre-trained language models via head pruning and attention normalization","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","volume":"235,","author":"Zhao","year":"2024"},{"key":"ref189","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i10.29023"},{"key":"ref190","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref191","first-page":"14004","article-title":"Defending neural backdoors via generative distribution modeling","volume":"32","author":"Qiao","year":"2019","journal-title":"Proc. Adv. Neural Inf. Process. Syst."},{"key":"ref192","article-title":"Robust anomaly detection and backdoor attack detection via differential privacy","author":"Du","year":"2019"},{"key":"ref193","first-page":"11372","article-title":"Crfl: Certifiably robust federated learning against backdoor attacks","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Xie","year":"2021"},{"key":"ref194","article-title":"On certifying robustness against backdoor attacks via randomized smoothing","author":"Wang","year":"2020"},{"key":"ref195","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i9.21191"},{"key":"ref196","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01177"},{"key":"ref197","first-page":"32239","article-title":"Causality based front-door defense against backdoor attack on language models","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","volume":"235","author":"Liu","year":"2024"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.3390\/electronics8030292"},{"key":"ref199","doi-asserted-by":"publisher","DOI":"10.1145\/3200947.3208069"},{"key":"ref200","article-title":"The language of fake news: Opening the black-box of deep learning based detectors","author":"O\u2019Brien","year":"2018"},{"key":"ref201","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.emnlp-main.446"},{"key":"ref202","article-title":"Very deep convolutional networks for large-scale image recognition","author":"Simonyan","year":"2014"},{"key":"ref203","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.03762"},{"key":"ref205","doi-asserted-by":"publisher","DOI":"10.1145\/3539618.3591949"},{"key":"ref206","article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","author":"Devlin","year":"2018"},{"key":"ref207","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2021.findings-emnlp.40"},{"key":"ref208","doi-asserted-by":"publisher","DOI":"10.1177\/0278364913491297"},{"key":"ref209","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/N16-2013"},{"key":"ref210","doi-asserted-by":"publisher","DOI":"10.1609\/icwsm.v11i1.14955"},{"key":"ref211","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3265535"},{"key":"ref212","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2023.3250210"},{"key":"ref213","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR48806.2021.9412684"},{"key":"ref214","article-title":"Neuroninspect: Detecting backdoors in neural networks via output explanations","author":"Huang","year":"2019"},{"key":"ref215","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00225"},{"key":"ref216","first-page":"28309","article-title":"A theoretical analysis of backdoor poisoning attacks in convolutional neural networks","volume-title":"Proc. 41st Int. Conf. Mach. Learn.","volume":"235","author":"Li","year":"2024"}],"container-title":["IEEE Transactions on Computational Social Systems"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6570650\/10856531\/10744415.pdf?arnumber=10744415","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,29]],"date-time":"2025-01-29T19:07:57Z","timestamp":1738177677000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10744415\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2]]},"references-count":216,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tcss.2024.3482723","relation":{},"ISSN":["2329-924X","2373-7476"],"issn-type":[{"value":"2329-924X","type":"electronic"},{"value":"2373-7476","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2]]}}}