{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T12:26:00Z","timestamp":1770467160275,"version":"3.49.0"},"reference-count":68,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62002167"],"award-info":[{"award-number":["62002167"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62072239"],"award-info":[{"award-number":["62072239"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62372236"],"award-info":[{"award-number":["62372236"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100019642","name":"Open Foundation of the State Key Laboratory of Integrated Services Networks","doi-asserted-by":"publisher","award":["ISN24-15"],"award-info":[{"award-number":["ISN24-15"]}],"id":[{"id":"10.13039\/501100019642","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2024]]},"DOI":"10.1109\/tifs.2024.3349869","type":"journal-article","created":{"date-parts":[[2024,1,4]],"date-time":"2024-01-04T19:30:14Z","timestamp":1704396614000},"page":"2356-2369","source":"Crossref","is-referenced-by-count":9,"title":["On Model Outsourcing Adaptive Attacks to Deep Learning Backdoor Defenses"],"prefix":"10.1109","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-7323-9093","authenticated-orcid":false,"given":"Huaibing","family":"Peng","sequence":"first","affiliation":[{"name":"School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-5385-9414","authenticated-orcid":false,"given":"Huming","family":"Qiu","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"given":"Hua","family":"Ma","sequence":"additional","affiliation":[{"name":"School of Electrical and Electronics Engineering, The University of Adelaide, Adelaide, SA, Australia"}]},{"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[{"name":"Data61, CSIRO, Eveleigh, NSW, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1632-5737","authenticated-orcid":false,"given":"Anmin","family":"Fu","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3242-8197","authenticated-orcid":false,"given":"Said F.","family":"Al-Sarawi","sequence":"additional","affiliation":[{"name":"School of Electrical and Electronics Engineering, The University of Adelaide, Eveleigh, NSW, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0945-2674","authenticated-orcid":false,"given":"Derek","family":"Abbott","sequence":"additional","affiliation":[{"name":"School of Electrical and Electronics Engineering, The University of Adelaide, Eveleigh, NSW, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5783-2172","authenticated-orcid":false,"given":"Yansong","family":"Gao","sequence":"additional","affiliation":[{"name":"Data61, CSIRO, Eveleigh, NSW, Australia"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review","author":"Gao","year":"2020","journal-title":"arXiv:2007.10760"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3560905.3568539"},{"key":"ref3","article-title":"TransCAB: Model-agnostic clean-annotation backdoor to object detection with natural trigger in real-world","volume-title":"Proc. SRDS","author":"Ma"},{"key":"ref4","article-title":"Dangerous cloaking: Natural trigger based backdoor attacks on object detectors in the physical world","author":"Ma","year":"2022","journal-title":"arXiv:2201.08619"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00614"},{"key":"ref6","first-page":"57","article-title":"Can you hear it? Backdoor attacks via ultrasonic triggers","volume-title":"Proc. ACM Workshop Wireless Secur. Mach. Learn.","author":"Koffas"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.02021"},{"key":"ref8","first-page":"1487","article-title":"Explanation-guided backdoor poisoning attacks against malware classifiers","volume-title":"Proc. USENIX Secur. Symp.","author":"Severi"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00028"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3271956"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2021.3135752"},{"key":"ref12","article-title":"MagNet and \u2018efficient defenses against adversarial attacks\u2019 are not robust to adversarial examples","author":"Carlini","year":"2017","journal-title":"arXiv:1711.08478"},{"key":"ref13","article-title":"On the robustness of the CVPR 2018 white-box adversarial example defenses","author":"Athalye","year":"2018","journal-title":"arXiv:1804.03286"},{"key":"ref14","first-page":"1633","article-title":"On adaptive attacks to adversarial example defenses","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"33","author":"Tramer"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP42928.2021.9506313"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00019"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i2.16201"},{"key":"ref22","article-title":"Revisiting the assumption of latent separability for backdoor defenses","volume-title":"Proc. ICLR","author":"Qi"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP53844.2022.00049"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427264"},{"key":"ref26","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"Chen","year":"2018","journal-title":"arXiv:1811.03728"},{"key":"ref27","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","volume-title":"Proc. NIPS","author":"Tran"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref29","article-title":"Rethinking the reverse-engineering of trojan triggers","author":"Wang","year":"2022","journal-title":"arXiv:2210.15127"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.23069"},{"key":"ref31","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017","journal-title":"arXiv:1708.06733"},{"key":"ref32","article-title":"Rethinking the trigger of backdoor attack","author":"Li","year":"2020","journal-title":"arXiv:2004.04692"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3021407"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01615"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01616"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3560830.3563730"},{"key":"ref38","article-title":"Poison frogs! Targeted clean-label poisoning attacks on neural networks","author":"Shafahi","year":"2018","journal-title":"arXiv:1804.00792"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref40","first-page":"3454","article-title":"Input-aware dynamic backdoor attack","volume-title":"Proc. NIPS","volume":"33","author":"Nguyen"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423362"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582829"},{"key":"ref43","first-page":"1541","article-title":"Demon in the variant: Statistical analysis of DNNs for robust backdoor contamination detection","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Tang"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref46","first-page":"13238","article-title":"Untargeted backdoor watermark: Towards harmless and stealthy dataset copyright protection","volume-title":"Proc. NIPS","author":"Li"},{"key":"ref47","first-page":"443","article-title":"Seeing is not believing: Camouflage attacks on image scaling algorithms","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Xiao"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48987.2021.00023"},{"key":"ref49","article-title":"One-to-multiple clean-label image camouflage (OmClic) based backdoor attack on deep learning","author":"Wang","year":"2023","journal-title":"arXiv:2309.04036"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2023.109512"},{"key":"ref51","article-title":"Narcissus: A practical clean-label backdoor attack with limited information","author":"Zeng","year":"2022","journal-title":"arXiv:2204.05255"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3182979"},{"key":"ref53","article-title":"Backdoor attack in the physical world","author":"Li","year":"2021","journal-title":"arXiv:2104.02361"},{"key":"ref54","article-title":"Learning multiple layers of features from tiny images","author":"Krizhevsky","year":"2009"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2012.02.016"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46493-0_38"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3324318"},{"key":"ref60","first-page":"1","article-title":"Rethinking the reverse-engineering of trojan triggers","volume-title":"Proc. NIPS","author":"Wang"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD.2017.16"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM50108.2020.00025"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833688"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW54120.2021.00008"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3312973"},{"key":"ref66","article-title":"SCALE-UP: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency","author":"Guo","year":"2023","journal-title":"arXiv:2302.03251"},{"key":"ref67","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume-title":"Proc. NIPS","volume":"34","author":"Li"},{"key":"ref68","first-page":"36396","article-title":"Training with more confidence: Mitigating injected and natural backdoors during training","volume-title":"Proc. NIPS","volume":"35","author":"Wang"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/10319981\/10380638.pdf?arnumber=10380638","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,18]],"date-time":"2024-01-18T01:26:06Z","timestamp":1705541166000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10380638\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":68,"URL":"https:\/\/doi.org\/10.1109\/tifs.2024.3349869","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]}}}