{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,10]],"date-time":"2026-07-10T12:49:29Z","timestamp":1783687769459,"version":"3.55.0"},"reference-count":88,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/tifs.2021.3117075","type":"journal-article","created":{"date-parts":[[2021,10,2]],"date-time":"2021-10-02T01:15:19Z","timestamp":1633137319000},"page":"4924-4938","source":"Crossref","is-referenced-by-count":122,"title":["Adversarial XAI Methods in Cybersecurity"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6855-6334","authenticated-orcid":false,"given":"Aditya","family":"Kuppa","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4373-2212","authenticated-orcid":false,"given":"Nhien-An","family":"Le-Khac","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref73","article-title":"Mixup inference: Better exploiting mixup to defend adversarial attacks","author":"pang","year":"2020","journal-title":"arXiv 1909 11515"},{"key":"ref72","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","author":"cohen","year":"2019","journal-title":"Proc ICML"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00669"},{"key":"ref70","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"arXiv 1706 06083"},{"key":"ref76","first-page":"7913","article-title":"Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks","author":"zheng","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref77","first-page":"4579","article-title":"Towards robust detection of adversarial examples","author":"pang","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref74","article-title":"Stochastic activation pruning for robust adversarial defense","author":"dhillon","year":"2018","journal-title":"arXiv 1803 01442"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3351095.3372850"},{"key":"ref75","article-title":"Benchmarking neural network robustness to common corruptions and perturbations","author":"hendrycks","year":"2019","journal-title":"arXiv 1903 12261"},{"key":"ref38","article-title":"Latent-CF: A simple baseline for reverse counterfactual explanations","author":"balasubramanian","year":"2020","journal-title":"arXiv 2012 09301"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/ITA50056.2020.9244964"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3180445.3180449"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3270101.3270106"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"ref31","first-page":"6103","article-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks","author":"shafahi","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN48605.2020.9207637"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3339266"},{"key":"ref35","first-page":"1250","article-title":"Enabling trust in deep learning models: A digital forensics case study","author":"grzonkowski","year":"2018","journal-title":"Proc 17th IEEE Int Conf Trust Secur Privacy Comput Commun \/12th IEEE Int Conf Big Data Sci Eng (TrustCom\/BigDataSE)"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3321707.3321749"},{"key":"ref60","article-title":"Exploiting excessive invariance caused by norm-bounded adversarial robustness","author":"jacobsen","year":"2019","journal-title":"arXiv 1903 10484"},{"key":"ref62","article-title":"Explanation-guided backdoor poisoning attacks against malware classifiers","author":"severi","year":"2020","journal-title":"arXiv 2003 01031"},{"key":"ref61","article-title":"Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses","author":"goldblum","year":"2020","journal-title":"arXiv 2012 10544"},{"key":"ref63","article-title":"Model extraction from counterfactual explanations","author":"a\u00efvodji","year":"2020","journal-title":"arXiv 2009 01884"},{"key":"ref28","first-page":"601","article-title":"Stealing machine learning models via prediction APIs","author":"tram\u00e8r","year":"2016","journal-title":"Proc 25th USENIX Conf Secur Symp"},{"key":"ref64","first-page":"217","article-title":"PassGAN: A deep learning approach for password guessing","volume":"11464","author":"perez-cruz","year":"2019","journal-title":"Proc 17th Int Conf Appl Cryptogr Netw Secur (ACNS)"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313591"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287562"},{"key":"ref66","article-title":"Explaining vulnerabilities of deep learning to adversarial malware binaries","author":"demetrio","year":"2019","journal-title":"arXiv 1901 03583"},{"key":"ref29","article-title":"On the privacy risks of model explanations","author":"shokri","year":"2019","journal-title":"arXiv 1907 00164"},{"key":"ref67","article-title":"Membership inference attacks on machine learning: A survey","author":"hu","year":"2021","journal-title":"arXiv 2103 07853"},{"key":"ref68","article-title":"Adversarial example detection for DNN models: A review and experimental comparison","author":"aldahdooh","year":"2021","journal-title":"arXiv 2105 00203"},{"key":"ref69","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2014","journal-title":"arXiv 1412 6572"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3351095.3372876"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/876"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/388"},{"key":"ref22","first-page":"1","article-title":"Interpretable deep learning under fire","author":"zhang","year":"2020","journal-title":"Proc 29th USENIX Secur Symp (USENIXSecurity)"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1016\/j.inffus.2019.12.012"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref23","year":"2016","journal-title":"Regulation General Data Protection Regulation (GDPR)"},{"key":"ref26","article-title":"Intellectual property protection for deep learning models: Taxonomy, methods, attacks, and evaluations","author":"xue","year":"2020","journal-title":"arXiv 2011 13564"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-76663-4_6"},{"key":"ref50","article-title":"Distilling the knowledge in a neural network","author":"hinton","year":"2015","journal-title":"ArXiv 1503 02531"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.5220\/0006639801080116"},{"key":"ref59","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2014","journal-title":"arXiv 1312 6199"},{"key":"ref58","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"gu","year":"2017","journal-title":"arXiv 1708 06733"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243757"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref55","article-title":"Systematic evaluation of privacy risks of machine learning models","author":"song","year":"2020","journal-title":"arXiv 2003 10595"},{"key":"ref54","author":"molnar","year":"2019","journal-title":"Interpretable Machine Learning"},{"key":"ref53","article-title":"Counterfactual explanations for machine learning: A review","author":"verma","year":"2020","journal-title":"arXiv 2010 10596"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3063289"},{"key":"ref10","author":"gill","year":"2018","journal-title":"Intr to ML Interpre"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1002\/9781119201731"},{"key":"ref40","article-title":"PermuteAttack: Counterfactual explanation of machine learning credit scorecards","author":"hashemi","year":"2020","journal-title":"arXiv 2008 10138"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.3386\/w23180"},{"key":"ref13","volume":"25","author":"miller","year":"2015","journal-title":"Can an Algorithm Hire Better Than a Human?"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN48605.2020.9206780"},{"key":"ref15","doi-asserted-by":"crossref","first-page":"832","DOI":"10.3390\/electronics8080832","article-title":"Machine learning interpretability: A survey on methods and metrics","volume":"8","author":"carvalho","year":"2019","journal-title":"Electronics"},{"key":"ref82","article-title":"Secml-malware: Pentesting Windows malware classifiers with adversarial EXEmples in Python","author":"demetrio","year":"2021","journal-title":"arXiv 2104 12848"},{"key":"ref16","doi-asserted-by":"crossref","first-page":"332","DOI":"10.1017\/S1930297500002291","article-title":"A new intuitionism: Meaning, memory, and development in fuzzy-trace theory","volume":"7","author":"reyna","year":"2012","journal-title":"Judgment and Decision Making"},{"key":"ref81","first-page":"1545","article-title":"Unconstrained monotonic neural networks","author":"wehenkel","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref17","article-title":"The role of individual user differences in interpretable and explainable machine learning systems","author":"gleaves","year":"2020","journal-title":"arXiv 2009 06675"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/2020408.2020495"},{"key":"ref18","article-title":"How can i choose an explainer? An application-grounded evaluation of post-hoc explanations","author":"jesus","year":"2021","journal-title":"arXiv 2101 08758"},{"key":"ref83","first-page":"2617","article-title":"Static prediction games for adversarial learning problems","volume":"13","author":"br\u00fcckner","year":"2012","journal-title":"J Mach Learn Res"},{"key":"ref19","article-title":"Fairwashing: The risk of rationalization","author":"a\u00efvodji","year":"2019","journal-title":"arXiv 1901 09749"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"ref4","article-title":"Towards a rigorous science of interpretable machine learning","author":"doshi-velez","year":"2017","journal-title":"arXiv 1702 08608"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/3351095.3372830"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3174156"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3236009"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/DSC.2016.90"},{"key":"ref8","article-title":"Causation and manipulability","author":"woodward","year":"2016","journal-title":"The Stanford Encyclopedia of Philosophy"},{"key":"ref86","author":"anderson","year":"2017","journal-title":"Evading machine learning malware detection"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3400051.3400058"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"ref87","article-title":"Clean-label backdoor attacks","author":"turner","year":"2018"},{"key":"ref88","article-title":"Explainable black-box attacks against model-based authentication","author":"garcia","year":"2018","journal-title":"arXiv 1810 00024"},{"key":"ref9","first-page":"556","article-title":"Effect of security controls on patching window: A causal inference based approach","author":"kuppa","year":"2020","journal-title":"Proc Comput Secur Appl Conf"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"ref45","article-title":"Adversarial machine learning attacks and defense methods in the cyber security domain","author":"rosenberg","year":"2020","journal-title":"arXiv 2007 02407"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref47","article-title":"EMBER: An open dataset for training static PE malware machine learning models","author":"anderson","year":"2018","journal-title":"arXiv 1804 04637"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3301275.3302310"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3173951"},{"key":"ref44","article-title":"Towards the science of security and privacy in machine learning","author":"papernot","year":"2016","journal-title":"arXiv 1611 03814"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9151439\/09555622.pdf?arnumber=9555622","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,11]],"date-time":"2023-01-11T00:00:33Z","timestamp":1673395233000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9555622\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":88,"URL":"https:\/\/doi.org\/10.1109\/tifs.2021.3117075","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]}}}