{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T18:19:53Z","timestamp":1772302793841,"version":"3.50.1"},"reference-count":63,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"ZJU Kunpeng&#x0026;Ascend Center of Excellence"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2026,1]]},"DOI":"10.1109\/tdsc.2025.3609476","type":"journal-article","created":{"date-parts":[[2025,9,12]],"date-time":"2025-09-12T17:33:29Z","timestamp":1757698409000},"page":"559-576","source":"Crossref","is-referenced-by-count":2,"title":["Effectiveness of Distillation Attack and Countermeasure on Neural Network Watermarking"],"prefix":"10.1109","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-4995-7085","authenticated-orcid":false,"given":"Ziqi","family":"Yang","sequence":"first","affiliation":[{"name":"State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou, China"}]},{"given":"Tong","family":"Tang","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, China"}]},{"given":"Hung","family":"Dang","sequence":"additional","affiliation":[{"name":"Caliber, Pittsburgh, PA, USA"}]},{"given":"Zhengyang","family":"Wu","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4613-0866","authenticated-orcid":false,"given":"Ee-Chien","family":"Chang","sequence":"additional","affiliation":[{"name":"Department of Computer Science, School of Computing, National University of Singapore, Singapore"}]}],"member":"263","reference":[{"key":"ref1","first-page":"1615","article-title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Adi"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-11012-3_25"},{"key":"ref3","first-page":"233","article-title":"A closer look at memorization in deep networks","volume-title":"Proc. 34th Int. Conf. Mach. Learn.","author":"Arpit"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i9.21184"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3323873.3325042"},{"key":"ref6","article-title":"Blackmarks: Blackbox multibit watermarking for deep neural networks","author":"Chen","year":"2019"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833747"},{"key":"ref8","first-page":"2285","article-title":"Compressing neural networks with the hashing trick","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Chen"},{"key":"ref9","article-title":"Targeted backdoor attacks on deep learning systems using data Poisoning","author":"Chen","year":"2017"},{"key":"ref10","first-page":"1780","article-title":"You are caught stealing my winning lottery ticket! making a lottery ticket claim its ownership","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Chen"},{"key":"ref11","first-page":"1937","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Choquette-Choo"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/83.650120"},{"key":"ref13","first-page":"1534","article-title":"DeepMarks: A digital fingerprinting framework for deep neural networks","volume":"39","author":"Rouhani","year":"2019","journal-title":"IEEE Trans. Comput.-Aided Des. Integrated Circuits Syst."},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref15","first-page":"1269","article-title":"Exploiting linear structure within convolutional networks for efficient evaluation","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Denton"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.81"},{"key":"ref17","article-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017"},{"key":"ref18","article-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain","volume-title":"Proc. Mach. Learn. Comput. Secur. Workshop","author":"Gu"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2016.30"},{"key":"ref20","article-title":"Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Han"},{"key":"ref21","first-page":"1135","article-title":"Learning both weights and connections for efficient neural network","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Han"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref23","article-title":"Distilling the knowledge in a neural network","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst. Deep Learn. Representation Learn. Workshop","author":"Hinton"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"ref25","article-title":"Labeled faces in the wild: A database for studying face recognition in unconstrained environments","author":"Huang","year":"2007"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.5244\/C.28.88"},{"key":"ref27","first-page":"1937","article-title":"Entangled watermarks as a defense against model extraction","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Jia"},{"key":"ref28","article-title":"The cifar-10 dataset","author":"Krizhevsky","year":"2014"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-019-04434-z"},{"key":"ref30","article-title":"The mnist database of handwritten digits","author":"LeCun","year":"1998"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3265535"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref34","article-title":"Rethinking the value of network pruning","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Liu"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19772-7_32"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833693"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3242737"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00099"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-019-04434-z"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.222"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2009.191"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref44","first-page":"5287","article-title":"DeepEclipse: How to break White-Box DNN-Watermarking schemes","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Pegoraro","year":"2024"},{"key":"ref45","article-title":"Deep learning is robust to massive label noise","author":"Rolnick","year":"2017"},{"key":"ref46","article-title":"DeepSigns: A generic watermarking framework for IP protection of deep learning models","author":"Rouhani","year":"2018"},{"key":"ref47","first-page":"1","article-title":"DeepSigns: A generic watermarking framework for IP protection of deep learning models","volume-title":"Proc. 21st Asia South Pacific Des. Automat. Conf.","author":"Rouhani"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134077"},{"key":"ref49","first-page":"1929","article-title":"Dropout: A simple way to prevent neural networks from overfitting","volume":"15","author":"Srivastava","year":"2014","journal-title":"J. Mach. Learn. Res."},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3474085.3475591"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3426957"},{"key":"ref52","first-page":"601","article-title":"Stealing machine learning models via prediction $\\lbrace APIs\\rbrace${APIs}","volume-title":"Proc. 25th USENIX Secur. Symp.","author":"Tram\u00e8r"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450000"},{"key":"ref55","article-title":"Cracking white-box DNN watermarks via invariant neuron transforms","author":"Yan","year":"2022"},{"key":"ref56","first-page":"2347","article-title":"Rethinking white-box watermarks on deep learning models under neural structural obfuscation","volume-title":"Proc. 32th USENIX Secur. Symp.","author":"Yan"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.5244\/C.30.87"},{"key":"ref58","article-title":"Adadelta: An adaptive learning rate method","author":"Zeiler","year":"2012"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3446776"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"ref61","first-page":"5305","article-title":"ModelGuard: Information-theoretic defense against model extraction attacks","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Zhang","year":"2024"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298809"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01445"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/8858\/11354469\/11163719.pdf?arnumber=11163719","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,20]],"date-time":"2026-01-20T23:23:15Z","timestamp":1768951395000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11163719\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":63,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2025.3609476","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}