{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,9]],"date-time":"2025-12-09T08:26:49Z","timestamp":1765268809620,"version":"3.37.3"},"reference-count":81,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100000923","name":"Australian Research Council","doi-asserted-by":"publisher","award":["DP190102443"],"award-info":[{"award-number":["DP190102443"]}],"id":[{"id":"10.13039\/501100000923","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/tifs.2021.3108407","type":"journal-article","created":{"date-parts":[[2021,8,30]],"date-time":"2021-08-30T20:52:03Z","timestamp":1630356723000},"page":"4521-4533","source":"Crossref","is-referenced-by-count":7,"title":["Odyssey: Creation, Analysis and Detection of Trojan Models"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1269-1190","authenticated-orcid":false,"given":"Marzieh","family":"Edraki","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5522-4456","authenticated-orcid":false,"given":"Nazmul","family":"Karim","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nazanin","family":"Rahnavard","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5206-3842","authenticated-orcid":false,"given":"Ajmal","family":"Mian","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8216-1128","authenticated-orcid":false,"given":"Mubarak","family":"Shah","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"ref72","article-title":"Very deep convolutional networks for large-scale image recognition","author":"simonyan","year":"2014","journal-title":"arXiv 1409 1556"},{"journal-title":"MNIST Handwritten Digit Database","year":"2010","author":"lecun","key":"ref71"},{"key":"ref70","article-title":"Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms","author":"xiao","year":"2017","journal-title":"ArXiv 1708 07747"},{"journal-title":"NIST Trojai Challenge Round3","year":"2020","key":"ref76"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1007\/BF00994018"},{"key":"ref39","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2017","journal-title":"arXiv 1706 06083"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298594"},{"key":"ref38","article-title":"LSDAT: Low-rank and sparse decomposition for decision-based adversarial attack","author":"esmaeili","year":"2021","journal-title":"arXiv 2103 10787"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"journal-title":"NIST Trojai Challenge Round0","year":"2020","key":"ref79"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00130"},{"key":"ref32","first-page":"10932","article-title":"Improving black-box adversarial attacks with a transfer-based prior","author":"cheng","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref31","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2014","journal-title":"arXiv 1412 6572"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW.2019.00400"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00072"},{"key":"ref35","article-title":"Label universal targeted attack","author":"akhtar","year":"2019","journal-title":"arXiv 1905 11544"},{"key":"ref34","article-title":"Improving query efficiency of black-box adversarial attack","author":"bai","year":"2020","journal-title":"arXiv 2009 11508"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP40776.2020.9054581"},{"key":"ref62","article-title":"NeuronInspect: Detecting backdoors in neural networks via output explanations","author":"huang","year":"2019","journal-title":"arXiv 1911 07399"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref28","article-title":"Fitted learning: Models with awareness of their limits","author":"kardan","year":"2016","journal-title":"arXiv 1609 02226"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_20"},{"key":"ref27","article-title":"Adversarial examples in the physical world","author":"kurakin","year":"2016","journal-title":"arXiv 1607 02533"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref65","article-title":"Detecting AI trojans using meta neural analysis","author":"xu","year":"2019","journal-title":"arXiv 1910 03137"},{"key":"ref29","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2013","journal-title":"arXiv 1312 6199"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"journal-title":"Cifar-10 (canadian institute for advanced research)","year":"2020","author":"krizhevsky","key":"ref69"},{"key":"ref2","first-page":"1799","article-title":"Joint training of a convolutional network and a graphical model for human pose estimation","author":"tompson","year":"2014","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref1","first-page":"1097","article-title":"ImageNet classification with deep convolutional neural networks","author":"krizhevsky","year":"2012","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref20","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","author":"tran","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref22","article-title":"TABOR: A highly accurate approach to inspecting and restoring trojan backdoors in AI systems","author":"guo","year":"2019","journal-title":"arXiv 1908 01763"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"journal-title":"NIST Trojai Challenge Round0","year":"2020","key":"ref24"},{"key":"ref23","first-page":"14004","article-title":"Defending neural backdoors via generative distribution modeling","author":"qiao","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref26","article-title":"Towards consistent predictive confidence through fitted ensembles","author":"kardan","year":"2021","journal-title":"arXiv 2106 12070"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2017.7965897"},{"key":"ref50","article-title":"Backdoor attacks to graph neural networks","author":"zhang","year":"2020","journal-title":"arXiv 2006 11165"},{"key":"ref51","article-title":"TrojanNet: Embedding hidden trojan horse models in neural networks","author":"guo","year":"2020","journal-title":"arXiv 2002 10078"},{"key":"ref59","article-title":"SentiNet: Detecting localized universal attacks against deep learning systems","author":"chou","year":"2018","journal-title":"arXiv 1812 00292"},{"key":"ref58","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"chen","year":"2018","journal-title":"arXiv 1811 03728"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_14"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01321"},{"key":"ref52","first-page":"14443","article-title":"Clean-label backdoor attacks on video recognition models","author":"zhao","year":"2020","journal-title":"Proc IEEE\/CVF Conf Comput Vis Pattern Recognit (CVPR)"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098158"},{"key":"ref40","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tram\u00e8r","year":"2017","journal-title":"arXiv 1705 07204"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/WINCOM.2016.7777224"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC48688.2020.0-218"},{"key":"ref13","article-title":"A novel framework for threat analysis of machine learning-based smart healthcare systems","author":"haque","year":"2021","journal-title":"arXiv 2103 03472"},{"key":"ref14","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"gu","year":"2017","journal-title":"arXiv 1708 06733"},{"article-title":"Trojaning attack on neural networks","year":"2017","author":"liu","key":"ref15"},{"key":"ref16","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"chen","year":"2017","journal-title":"arXiv 1712 05526"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243757"},{"key":"ref81","article-title":"Hidden trigger backdoor attacks","author":"saha","year":"2019","journal-title":"arXiv 1910 00033"},{"key":"ref18","article-title":"PoTrojan: Powerful neural-level trojan designs in deep learning models","author":"zou","year":"2018","journal-title":"arXiv 1802 03043"},{"key":"ref19","article-title":"How to backdoor federated learning","author":"bagdasaryan","year":"2018","journal-title":"arXiv 1807 00459"},{"journal-title":"NIST Trojai Challenge Round0","year":"2020","key":"ref80"},{"key":"ref4","article-title":"Photo-realistic single image super-resolution using a generative adversarial network","author":"ledig","year":"2016","journal-title":"arXiv 1609 04802"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2012.231"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/ASRU.2011.6163930"},{"key":"ref5","article-title":"SPI-GAN: Towards single-pixel imaging through generative adversarial network","author":"karim","year":"2021","journal-title":"arXiv 2107 01330"},{"key":"ref8","first-page":"1","article-title":"Deep reinforcement learning with double Q-learning","volume":"30","author":"van hasselt","year":"2016","journal-title":"Proc AAAI Conf Artif Intell"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.2205597"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/MLSP.2019.8918768"},{"key":"ref46","first-page":"1","article-title":"DBA: Distributed backdoor attacks against federated learning","author":"xie","year":"2019","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref45","first-page":"412","article-title":"One man&#x2019;s trash is another man&#x2019;s treasure: Resisting adversarial examples by adversarial examples","author":"xiao","year":"2020","journal-title":"Proc IEEE\/CVF Conf Comput Vis Pattern Recognit (CVPR)"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"ref42","first-page":"227","article-title":"You only propagate once: Accelerating adversarial training via maximal principle","author":"zhang","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref41","first-page":"785","article-title":"Adversarial training with bi-directional likelihood regularization for visual classification","author":"wan","year":"2020","journal-title":"Proc Eur Conf Comput Vis"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00103"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58452-8_33"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9151439\/09524677.pdf?arnumber=9524677","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:35Z","timestamp":1652194355000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9524677\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":81,"URL":"https:\/\/doi.org\/10.1109\/tifs.2021.3108407","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"type":"print","value":"1556-6013"},{"type":"electronic","value":"1556-6021"}],"subject":[],"published":{"date-parts":[[2021]]}}}