{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T03:59:32Z","timestamp":1768017572109,"version":"3.49.0"},"reference-count":59,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2023,7,1]],"date-time":"2023-07-01T00:00:00Z","timestamp":1688169600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,7,1]],"date-time":"2023-07-01T00:00:00Z","timestamp":1688169600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,7,1]],"date-time":"2023-07-01T00:00:00Z","timestamp":1688169600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2023,7,1]]},"DOI":"10.1109\/tdsc.2022.3196790","type":"journal-article","created":{"date-parts":[[2022,8,5]],"date-time":"2022-08-05T19:29:18Z","timestamp":1659727758000},"page":"3434-3448","source":"Crossref","is-referenced-by-count":11,"title":["Evaluating the Robustness of Trigger Set-Based Watermarks Embedded in Deep Neural Networks"],"prefix":"10.1109","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8717-6890","authenticated-orcid":false,"given":"Suyoung","family":"Lee","sequence":"first","affiliation":[{"name":"School of Computing, KAIST, Daejeon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3336-9256","authenticated-orcid":false,"given":"Wonho","family":"Song","sequence":"additional","affiliation":[{"name":"School of Computing, KAIST, Daejeon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Suman","family":"Jana","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Columbia University, New York, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Meeyoung","family":"Cha","sequence":"additional","affiliation":[{"name":"School of Computing, KAIST, Daejeon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0904-2875","authenticated-orcid":false,"given":"Sooel","family":"Son","sequence":"additional","affiliation":[{"name":"School of Computing, KAIST, Daejeon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/947380.947395"},{"key":"ref2","first-page":"1615","article-title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","volume-title":"Proc. USENIX Secur. Symp.","author":"Adi"},{"key":"ref3","first-page":"2621","article-title":"Measuring neural net robustness with constraints","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Bastani"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24434"},{"key":"ref5","article-title":"On evaluating adversarial robustness","author":"Carlini","year":"2019"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref7","article-title":"MagNet and \u201cefficient defenses against adversarial attacks\u201d are not robust to adversarial examples","author":"Carlini","year":"2017"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3323873.3325042"},{"key":"ref11","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453079"},{"key":"ref13","first-page":"2343","article-title":"On training robust PDF malware classifiers","volume-title":"Proc. USENIX Secur. Symp.","author":"Chen"},{"key":"ref14","first-page":"192","article-title":"The loss surfaces of multilayer networks","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Choromanska"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/49.668979"},{"key":"ref16","first-page":"4716","article-title":"Rethinking deep neural network ownership verification: Embedding passports to defeat ambiguity attacks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Fan"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref18","article-title":"Explaining and harnessing adversarial examples","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Goodfellow"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46466-4_15"},{"key":"ref20","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain. CoRR, abs","author":"Gu","year":"2019"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3240765.3240862"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-63387-9_1"},{"key":"ref24","first-page":"1937","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"Proc. USENIX Secur. Symp.","author":"Jia"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"ref27","article-title":"Adam: A method for stochastic optimization","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Kingma"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/79.879337"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref30","article-title":"Neural attention distillation: Erasing backdoor triggers from deep neural networks","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Li"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359801"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.06083"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-019-04434-z"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3321705.3329808"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref40","first-page":"1363","article-title":"Adversarial preprocessing: Understanding and preventing image-scaling attacks in machine learning","volume-title":"Proc. USENIX Secur. Symp.","author":"Quiring"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304051"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3437880.3460401"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2018.04.027"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417231"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/5.687830"},{"key":"ref47","article-title":"Intriguing properties of neural networks","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Szegedy"},{"key":"ref48","first-page":"10096","article-title":"EfficientNetV2: Smaller models and faster training","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Tan"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180220"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241142"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/2647868.2654948"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref54","article-title":"Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms","author":"Xiao","year":"2017"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134018"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243754"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3446776"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6976"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/10177761\/09851498.pdf?arnumber=9851498","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,5,23]],"date-time":"2024-05-23T05:45:29Z","timestamp":1716443129000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9851498\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,1]]},"references-count":59,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2022.3196790","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,1]]}}}