{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T11:19:21Z","timestamp":1780053561445,"version":"3.54.0"},"reference-count":205,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T00:00:00Z","timestamp":1675209600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T00:00:00Z","timestamp":1675209600000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T00:00:00Z","timestamp":1675209600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T00:00:00Z","timestamp":1675209600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100000185","name":"Defense Advanced Research Projects Agency","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000185","id-type":"DOI","asserted-by":"publisher"}]},{"name":"QED4RML"},{"name":"D3M programs"},{"DOI":"10.13039\/501100008982","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-1910100"],"award-info":[{"award-number":["CCF-1910100"]}],"id":[{"id":"10.13039\/501100008982","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100008982","name":"National Science Foundation","doi-asserted-by":"publisher","award":["TWC-1409915"],"award-info":[{"award-number":["TWC-1409915"]}],"id":[{"id":"10.13039\/501100008982","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100008982","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-1553428"],"award-info":[{"award-number":["CCF-1553428"]}],"id":[{"id":"10.13039\/501100008982","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100008982","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-1815221"],"award-info":[{"award-number":["CNS-1815221"]}],"id":[{"id":"10.13039\/501100008982","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Amazon Research Award Program"},{"name":"Berkeley DeepDrive"},{"name":"Facebook PhD Fellowship"},{"name":"Facebook PhD Fellowship"},{"DOI":"10.13039\/501100008982","name":"National Science Foundation","doi-asserted-by":"publisher","award":["DMS-1912866"],"award-info":[{"award-number":["DMS-1912866"]}],"id":[{"id":"10.13039\/501100008982","id-type":"DOI","asserted-by":"publisher"}]},{"name":"ONR MURI Program"},{"DOI":"10.13039\/100000879","name":"Alfred P. Sloan Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000879","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Pattern Anal. Mach. Intell."],"published-print":{"date-parts":[[2023,2,1]]},"DOI":"10.1109\/tpami.2022.3162397","type":"journal-article","created":{"date-parts":[[2022,3,25]],"date-time":"2022-03-25T19:51:55Z","timestamp":1648237915000},"page":"1563-1580","source":"Crossref","is-referenced-by-count":233,"title":["Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses"],"prefix":"10.1109","volume":"45","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8266-2424","authenticated-orcid":false,"given":"Micah","family":"Goldblum","sequence":"first","affiliation":[{"name":"University of Maryland, College Park, MD, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dimitris","family":"Tsipras","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5460-3785","authenticated-orcid":false,"given":"Chulin","family":"Xie","sequence":"additional","affiliation":[{"name":"University of Illinois, Champaign, IL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xinyun","family":"Chen","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, CA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Avi","family":"Schwarzschild","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, MD, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Dawn","family":"Song","sequence":"additional","affiliation":[{"name":"University of California, Berkeley, CA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Aleksander","family":"Madry","sequence":"additional","affiliation":[{"name":"Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bo","family":"Li","sequence":"additional","affiliation":[{"name":"University of Illinois, Champaign, IL, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Tom","family":"Goldstein","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, MD, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Microsoft chatbot is taught to swear on Twitter","volume-title":"BBC News","author":"Wakefield","year":"2016"},{"key":"ref2","article-title":"Possible malware found hidden inside images from the ImageNet dataset","year":"2020"},{"key":"ref3","first-page":"1","article-title":"Exploiting machine learning to subvert your spam filter","volume-title":"Proc. 1st USENIX Workshop Large-Scale Exploits Emergent Threats","author":"Nelson"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3532474"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2018.2886017"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_1"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3182979"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2020.07.133"},{"key":"ref9","article-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review","author":"Gao","year":"2020"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2019.100199"},{"key":"ref12","article-title":"VENOMAVE: Clean-label poisoning against speech recognition","author":"Aghakhani","year":"2020"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-67658-2_10"},{"key":"ref14","article-title":"SpamBayes: Effective open-source, Bayesian based, email classification system","volume-title":"Proc. 1st Conf. Email Anti-Spam","author":"Meyer"},{"key":"ref15","first-page":"1893","article-title":"Data poisoning attacks on factorization-based collaborative filtering","volume-title":"Proc. 30th Int. Conf. Neural Informat. Process. Syst.","author":"Li"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274706"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM38437.2019.9013539"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380072"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/657"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3397271.3401301"},{"key":"ref21","first-page":"947","article-title":"Data poisoning attacks to local differential privacy protocols","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Cao"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3209582.3209594"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01554-1_11"},{"key":"ref24","first-page":"4042","article-title":"Data poisoning attacks on stochastic bandits","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Liu"},{"key":"ref25","first-page":"201","article-title":"Online data poisoning attacks","volume-title":"Proc. Conf. Learn. Dyn. Control","author":"Zhang"},{"key":"ref26","first-page":"1589","article-title":"Fawkes: Protecting personal privacy against unauthorized deep learning models","volume-title":"Proc. USENIX Secur. Symp.","author":"Shan"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2021-0044"},{"key":"ref28","article-title":"Lowkey: Leveraging adversarial attacks to protect social media users from facial recognition","author":"Cherepanova","year":"2021","journal-title":"arXiv:2101.07922"},{"key":"ref29","article-title":"Face-Off: Adversarial face obfuscation","author":"Gao","year":"2020"},{"key":"ref30","first-page":"634","article-title":"Analyzing federated learning through an adversarial lens","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Bhagoji"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3128646"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref33","first-page":"6103","article-title":"Poison frogs! Targeted clean-label poisoning attacks on neural networks","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Shafahi"},{"key":"ref34","article-title":"Just how toxic is data poisoning? A unified benchmark for backdoor and data poisoning attacks","author":"Schwarzschild","year":"2020"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_9"},{"key":"ref36","article-title":"Transferable clean-label poisoning attacks on deep neural nets","author":"Zhu","year":"2019"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00021"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243757"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140451"},{"key":"ref40","article-title":"Poisoning attacks against support vector machines","author":"Biggio","year":"2012"},{"key":"ref41","first-page":"1689","article-title":"Is feature selection secure against training data poisoning?","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Xiao"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v29i1.9569"},{"key":"ref43","first-page":"1885","article-title":"Understanding black-box predictions via influence functions","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Koh"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3041008.3041012"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"ref46","article-title":"Metapoison: Practical general-purpose clean-label data poisoning","author":"Huang","year":"2020"},{"key":"ref47","article-title":"Witches\u2019 Brew: Industrial scale data poisoning via gradient matching","author":"Geiping","year":"2020"},{"key":"ref48","article-title":"Learning multiple layers of features from tiny images","author":"Krizhevsky"},{"key":"ref49","article-title":"Tiny imagenet visual recognition challenge","author":"Le","year":"2015"},{"key":"ref50","article-title":"Preventing unauthorized use of proprietary data: Poisoning for secure dataset release","author":"Fowl","year":"2021"},{"key":"ref51","article-title":"Generative poisoning attack method against neural networks","author":"Yang","year":"2017"},{"key":"ref52","article-title":"Poisoning attacks with generative adversarial nets","author":"Mu\u00f1oz-Gonz\u00e1lez","year":"2019"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2905915"},{"key":"ref54","article-title":"Unlearnable examples: Making personal data unexploitable","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Huang"},{"key":"ref55","article-title":"Learning to confuse: Generating training time adversarial data with auto-encoder","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Feng"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-021-06119-y"},{"key":"ref57","article-title":"Influence functions in deep learning are fragile","author":"Basu","year":"2020"},{"key":"ref58","first-page":"97","article-title":"Support vector machines under adversarial label noise","volume-title":"Proc. Asian Conf. Mach. Learn.","author":"Biggio"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2017\/551"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/CISS.2017.7926118"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-13453-2_1"},{"key":"ref62","article-title":"Certified robustness to label-flipping attacks via randomized smoothing","author":"Rosenfeld","year":"2020"},{"key":"ref63","first-page":"560","article-title":"Learning disjunction of conjunctions","volume-title":"Proc. Int. Joint Conf. Artif. Intell.","author":"Valiant"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1137\/0222052"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44371-2_26"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-70503-3_8"},{"key":"ref67","first-page":"572","article-title":"Learning under -tampering attacks","volume-title":"Proc. 26th Int. Conf. Algorithmic Learn. Theory","author":"Mahloujifar"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33014536"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00057"},{"key":"ref70","first-page":"1605","article-title":"Local model poisoning attacks to byzantine-robust federated learning","volume-title":"Proc. 29th USENIX Secur. Symp.","author":"Fang"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS47876.2019.00042"},{"key":"ref72","article-title":"Mitigating sybils in federated learning poisoning","author":"Fung","year":"2018"},{"key":"ref73","first-page":"4274","article-title":"Data poisoning attacks in multi-party learning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Mahloujifar"},{"key":"ref74","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref75","article-title":"BadNets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485368"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR56361.2022.9956690"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2941376"},{"key":"ref79","article-title":"BadNL: Backdoor attacks against NLP models","author":"Chen","year":"2020"},{"key":"ref80","article-title":"Natural backdoor attack on text data","author":"Sun","year":"2020"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3450569.3463560"},{"key":"ref82","article-title":"Graph backdoor","author":"Xi","year":"2020"},{"key":"ref83","article-title":"Exploring backdoor poisoning attacks against malware classifiers","author":"Severi","year":"2020"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00020"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218663"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref87","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref89","article-title":"The space of transferable adversarial examples","author":"Tram\u00e8r","year":"2017"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00022"},{"key":"ref91","article-title":"Customizing triggers with concealed data poisoning","author":"Wallace","year":"2020"},{"key":"ref92","article-title":"You autocomplete me: Poisoning vulnerabilities in neural code completion","author":"Schuster","year":"2020"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-37228-6_15"},{"key":"ref94","article-title":"BAAAN: Backdoor attacks against autoencoder and gan-based machine learning models","author":"Salem","year":"2020"},{"issue":"8","key":"ref95","article-title":"Language models are unsupervised multitask learners","volume":"1","author":"Radford","year":"2019","journal-title":"OpenAI blog"},{"key":"ref96","article-title":"Design of intentional backdoors in sequential models","author":"Yang","year":"2019"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3114024"},{"key":"ref98","first-page":"1615","article-title":"Turning your weakness into a strength: Watermarking deep neural networks by backdooring","volume-title":"Proc. 27th USENIX Secur. Symp.","author":"Adi"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.3021407"},{"key":"ref101","article-title":"Backdoor attacks on facial recognition in the physical world","author":"Wenger","year":"2020"},{"key":"ref102","article-title":"FaceHack: Triggering backdoored facial recognition systems using facial characteristics","author":"Sarkar","year":"2020"},{"key":"ref103","article-title":"Label-consistent backdoor attacks","author":"Turner","year":"2019"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i07.6871"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.3156\/jsoft.29.5_177_2"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/3394486.3403064"},{"key":"ref108","article-title":"Poisoned classifiers are not only backdoored, they are fundamentally broken","author":"Sun","year":"2020"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD.2017.16"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2020.3000900"},{"key":"ref113","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Bagdasaryan"},{"key":"ref114","article-title":"Can you really backdoor federated learning?","author":"Sun","year":"2019"},{"key":"ref115","first-page":"8635","article-title":"A little is enough: Circumventing defenses for distributed learning","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Baruch"},{"key":"ref116","first-page":"16070","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Wang"},{"key":"ref117","article-title":"DBA: Distributed backdoor attacks against federated learning","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xie"},{"key":"ref118","article-title":"Backdoor attacks and defenses in feature-partitioned collaborative learning","author":"Liu","year":"2020"},{"key":"ref119","article-title":"Backdoor attacks on federated meta-learning","author":"Chen","year":"2020"},{"key":"ref120","article-title":"DeepSigns: A generic watermarking framework for IP protection of deep learning models","author":"Rouhani","year":"2018"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1145\/3078971.3078974"},{"key":"ref122","article-title":"Delving into transferable adversarial examples and black-box attacks","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Liu"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref124","first-page":"284","article-title":"Synthesizing robust adversarial examples","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Athalye"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1145\/342009.335388"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.2307\/1266761"},{"key":"ref127","article-title":"Outliers in statistical data","volume-title":"Wiley Series in Probability and Mathematical Statistics Applied Probability and Statistics","author":"Barnett","year":"1984"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1145\/3381028"},{"key":"ref129","first-page":"3517","article-title":"Certified defenses for data poisoning attacks","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Steinhardt"},{"key":"ref130","first-page":"1596","article-title":"Sever: A robust meta-algorithm for stochastic optimization","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Diakonikolas"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1111\/rssb.12364"},{"key":"ref132","article-title":"Detection of adversarial training examples in poisoning attacks through anomaly detection","author":"Paudice","year":"2018"},{"key":"ref133","first-page":"8000","article-title":"Spectral signatures in backdoor attacks","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Tran"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1137\/17M1126680"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2016.76"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23415"},{"key":"ref137","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","author":"Chen","year":"2018"},{"key":"ref138","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-66415-2_4"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref141","article-title":"TABOR: A highly accurate approach to inspecting and restoring trojan backdoors in AI systems","author":"Guo","year":"2019"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_14"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_20"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.74"},{"key":"ref150","first-page":"14004","article-title":"Defending neural backdoors via generative distribution modeling","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Qiao"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1145\/3394171.3413546"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453079"},{"key":"ref153","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR48806.2021.9412684"},{"key":"ref154","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.1611835114"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1002\/0471725250"},{"key":"ref156","doi-asserted-by":"publisher","DOI":"10.1002\/9781118186435"},{"key":"ref157","article-title":"A survey of sampling from contaminated distributions","volume-title":"Contributions to Probability and Statistics","author":"Tukey","year":"1960"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1214\/aoms\/1177703732"},{"key":"ref159","first-page":"552","article-title":"The","volume":"16","author":"Donoho","year":"1988","journal-title":"Ann. Statist."},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1214\/aos\/1016218226"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1214\/17-AOS1607"},{"key":"ref162","article-title":"Resilience: A criterion for learning in the presence of arbitrary outliers","volume-title":"Proc. Innov. Theor. Comput. Sci. Conf.","volume":"94","author":"Steinhardt"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.1214\/22-aos2186"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02927-1_51"},{"key":"ref165","first-page":"999","article-title":"Being robust (in high dimensions) can be practical","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Diakonikolas"},{"key":"ref166","article-title":"Robust estimation and generative adversarial nets","author":"Gao","year":"2018"},{"key":"ref167","first-page":"1","article-title":"Generative adversarial nets for robust scatter estimation: A proper scoring rule perspective","volume":"21","author":"Gao","year":"2020","journal-title":"J. Mach. Learn. Res."},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1145\/3055399.3055491"},{"key":"ref169","article-title":"Principled approaches to robust machine learning and beyond","author":"Li","year":"2018"},{"key":"ref170","article-title":"Robust learning: Information theory and algorithms","author":"Steinhardt","year":"2018"},{"key":"ref171","article-title":"Recent advances in algorithmic high-dimensional robust statistics","author":"Diakonikolas","year":"2019"},{"key":"ref172","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"ref173","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Cohen"},{"key":"ref174","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179451"},{"key":"ref175","article-title":"Deep partition aggregation: Provable defense against general poisoning attacks","author":"Levine","year":"2020"},{"key":"ref176","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i9.16971"},{"key":"ref177","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i9.21191"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"ref179","article-title":"On the effectiveness of mitigating data poisoning attacks with gradient shaping","author":"Hong","year":"2020"},{"key":"ref180","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9414862"},{"key":"ref182","article-title":"DP-Instahide: Provably defusing poisoning and backdoor attacks with differentially private data augmentations","author":"Borgnia","year":"2021"},{"key":"ref183","doi-asserted-by":"publisher","DOI":"10.1145\/1390156.1390294"},{"key":"ref184","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4899-7687-1_79"},{"key":"ref185","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00612"},{"key":"ref186","article-title":"Maxup: A simple way to improve generalization of neural network training","author":"Gong","year":"2020"},{"key":"ref187","article-title":"What doesn\u2019t kill you makes you robust (er): Adversarial training against poisons and backdoors","author":"Geiping","year":"2021"},{"key":"ref188","article-title":"Learning to detect malicious clients for robust federated learning","author":"Li","year":"2020"},{"key":"ref189","article-title":"Auto-encoding variational bayes","author":"Kingma","year":"2013"},{"key":"ref190","first-page":"119","article-title":"Machine learning with adversaries: Byzantine tolerant gradient descent","volume-title":"Proc. Adv. Neural Informat. Process. Syst.","author":"Blanchard"},{"key":"ref191","article-title":"The hidden vulnerability of distributed learning in byzantium","author":"Mhamdi","year":"2018"},{"key":"ref192","article-title":"Byzantine-robust distributed learning: Towards optimal statistical rates","author":"Yin","year":"2018"},{"key":"ref193","doi-asserted-by":"publisher","DOI":"10.1145\/3154503"},{"key":"ref194","doi-asserted-by":"publisher","DOI":"10.1109\/TSP.2022.3153135"},{"key":"ref195","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33011544"},{"key":"ref196","article-title":"Attack-resistant federated learning with residual-based reweighting","author":"Fu","year":"2019"},{"key":"ref197","doi-asserted-by":"publisher","DOI":"10.1093\/biomet\/69.1.242"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2017.7966217"},{"key":"ref199","article-title":"LEAF: A benchmark for federated settings","author":"Caldas","year":"2018"},{"key":"ref200","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS51616.2021.00086"},{"key":"ref201","article-title":"Mitigating backdoor attacks in federated learning","author":"Wu","year":"2020"},{"key":"ref202","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-63076-8_2"},{"key":"ref203","article-title":"Inverting gradients\u2013How easy is it to break privacy in federated learning?","author":"Geiping","year":"2020"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00019"},{"key":"ref205","first-page":"22205","article-title":"Auditing differentially private machine learning: How private is private SGD?","volume-title":"in Proc. Adv. Neural Informat. Process. Syst.","author":"Jagielski"}],"container-title":["IEEE Transactions on Pattern Analysis and Machine Intelligence"],"original-title":[],"link":[{"URL":"https:\/\/ieeexplore.ieee.org\/ielam\/34\/10008914\/9743317-aam.pdf","content-type":"application\/pdf","content-version":"am","intended-application":"syndication"},{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/34\/10008914\/09743317.pdf?arnumber=9743317","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,18]],"date-time":"2024-01-18T00:08:21Z","timestamp":1705536501000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9743317\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,1]]},"references-count":205,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tpami.2022.3162397","relation":{},"ISSN":["0162-8828","2160-9292","1939-3539"],"issn-type":[{"value":"0162-8828","type":"print"},{"value":"2160-9292","type":"electronic"},{"value":"1939-3539","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,1]]}}}