{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T16:50:15Z","timestamp":1775580615689,"version":"3.50.1"},"reference-count":266,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100021171","name":"Basic and Applied Basic Research Foundation of Guangdong Province","doi-asserted-by":"publisher","award":["2024B1515020095"],"award-info":[{"award-number":["2024B1515020095"]}],"id":[{"id":"10.13039\/501100021171","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Shenzhen Science and Technology Program","award":["RCYX20210609103057050"],"award-info":[{"award-number":["RCYX20210609103057050"]}]},{"name":"Shenzhen Science and Technology Program","award":["JCYJ20240813113608011"],"award-info":[{"award-number":["JCYJ20240813113608011"]}]},{"name":"Sub-topic of Key R&#x0026;D Projects of the Ministry of Science and Technology","award":["2023YFC3304804"],"award-info":[{"award-number":["2023YFC3304804"]}]},{"name":"Longgang District Key Laboratory of Intelligent Digital Economy Security"},{"name":"Guangdong Provincial Program","award":["2023TQ07A352"],"award-info":[{"award-number":["2023TQ07A352"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62471420"],"award-info":[{"award-number":["62471420"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100021171","name":"Basic and Applied Basic Research Foundation of Guangdong Province","doi-asserted-by":"publisher","award":["2025A1515012296"],"award-info":[{"award-number":["2025A1515012296"]}],"id":[{"id":"10.13039\/501100021171","id-type":"DOI","asserted-by":"publisher"}]},{"name":"CCF-Tencent Rhino-Bird Open Research Fund"},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U21B2044"],"award-info":[{"award-number":["U21B2044"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U24B20155"],"award-info":[{"award-number":["U24B20155"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Pattern Anal. Mach. Intell."],"published-print":{"date-parts":[[2026,1]]},"DOI":"10.1109\/tpami.2025.3611340","type":"journal-article","created":{"date-parts":[[2025,9,17]],"date-time":"2025-09-17T17:30:51Z","timestamp":1758130251000},"page":"876-895","source":"Crossref","is-referenced-by-count":8,"title":["Defenses in Adversarial Machine Learning: A Systematic Survey From the Lifecycle Perspective"],"prefix":"10.1109","volume":"48","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2183-5990","authenticated-orcid":false,"given":"Baoyuan","family":"Wu","sequence":"first","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-5159-239X","authenticated-orcid":false,"given":"Mingli","family":"Zhu","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-9955-9117","authenticated-orcid":false,"given":"Meixi","family":"Zheng","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1225-1718","authenticated-orcid":false,"given":"Zihao","family":"Zhu","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-7021-5145","authenticated-orcid":false,"given":"Shaokui","family":"Wei","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5322-0988","authenticated-orcid":false,"given":"Mingda","family":"Zhang","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-5997-3041","authenticated-orcid":false,"given":"Hongrui","family":"Chen","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-3880-5610","authenticated-orcid":false,"given":"Danni","family":"Yuan","sequence":"additional","affiliation":[{"name":"Chinese University of Hong Kong, Shenzhen, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4497-0135","authenticated-orcid":false,"given":"Li","family":"Liu","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Guangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5512-6984","authenticated-orcid":false,"given":"Qingshan","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanjing University of Posts and Telecommunications, Nanjing, China"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00759"},{"key":"ref2","first-page":"1488","article-title":"Efficient and effective augmentation strategy for adversarial training","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Addepalli"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/ICPR56361.2022.9956476"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW59228.2023.00230"},{"key":"ref5","first-page":"12192","article-title":"Are labels required for improving adversarial robustness","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Alayrac"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i6.20545"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/IOLTS52814.2021.9486685"},{"key":"ref8","first-page":"47032","article-title":"Sharpness-aware minimization leads to low-rank features","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Andriushchenko"},{"key":"ref9","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Bagdasaryan"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00488"},{"key":"ref11","first-page":"26831","article-title":"Are transformers more robust than CNNs","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Bai"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1214\/009053605000000282"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00079"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00406"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/WACV51458.2022.00387"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2018\/520"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37456-2_14"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS47876.2019.00042"},{"key":"ref19","first-page":"11190","article-title":"Unlabeled data improves adversarial robustness","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Carmon"},{"key":"ref20","first-page":"22285","article-title":"One-shot neural backdoor erasing via adversarial weight masking","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Chai"},{"key":"ref21","article-title":"Detecting backdoor attacks on deep neural networks by activation clustering","volume-title":"Proc. of the AAAI Workshop Artif. Intell. Saf.","author":"Chen"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2024.110394"},{"key":"ref23","first-page":"487","article-title":"DeepAttest: An end-to-end attestation framework for deep neural networks","volume-title":"Proc. ACM\/IEEE Annu. Int. Symp. Comput. Architecture","author":"Chen"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/647"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58601-0_5"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3385003.3410925"},{"key":"ref27","first-page":"14929","article-title":"Adversarial attack on attackers: Post-process to mitigate black-box score-based query attacks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Chen"},{"key":"ref28","first-page":"9727","article-title":"Effective backdoor defense by exploiting sensitivity of poisoned samples","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Chen"},{"key":"ref29","article-title":"REFINE: Inversion-free backdoor defense via model reprogramming","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Chen"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i10.29023"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i1.25118"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00025"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01446"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-20065-6_15"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/SPW54247.2022.9833884"},{"key":"ref36","article-title":"Keeping the bad guys out: Protecting and vaccinating deep learning with JPEG compression","author":"Das","year":"2017"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00103"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-20083-0_28"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/tpami.2025.3542350"},{"key":"ref40","first-page":"8270","article-title":"Adversarial distributional training for robust deep learning","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Dong"},{"key":"ref41","first-page":"6065","article-title":"Quantum entropy scoring for fast robust mean estimation and improved outlier detection","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Dong"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01617"},{"key":"ref43","article-title":"Robust anomaly detection and backdoor attack detection via differential privacy","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Du"},{"key":"ref44","first-page":"2880","article-title":"Learning diverse-structured networks for adversarial robustness","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Du"},{"key":"ref45","article-title":"Detecting adversarial samples from artifacts","author":"Feinman","year":"2017"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01569"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW54120.2021.00008"},{"key":"ref48","article-title":"Mitigating sybils in federated learning poisoning","author":"Fung","year":"2018"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2022.3145837"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00390"},{"key":"ref51","first-page":"13009","article-title":"Convergence of adversarial training in overparametrized neural networks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Gao"},{"key":"ref52","first-page":"3564","article-title":"Maximum mean discrepancy test is aware of adversarial attacks","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Gao"},{"key":"ref53","article-title":"Backdoor attacks and countermeasures on deep learning: A comprehensive review","author":"Gao","year":"2020"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2023.3281872"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3162397"},{"key":"ref57","first-page":"4218","article-title":"Improving robustness using generated data","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Gowal"},{"key":"ref58","article-title":"On the (statistical) detection of adversarial examples","author":"Grosse","year":"2017"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01300"},{"key":"ref60","article-title":"Countering adversarial images using input transformations","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Guo"},{"key":"ref61","article-title":"AEVA: Black-box backdoor detection using adversarial extreme value analysis","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Guo"},{"key":"ref62","article-title":"SCALE-UP: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Guo"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00071"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/ICCD53106.2021.00090"},{"key":"ref65","article-title":"Generalizable lightweight proxy for robust NAS against diverse perturbations","author":"Ha","year":"2023"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00461"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN52387.2021.9533442"},{"key":"ref68","first-page":"4129","article-title":"SPECTRE: Defending against backdoor attacks using robust covariance estimation","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Hayase"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.01410"},{"key":"ref70","article-title":"Stochastic security: Adversarial defense using long-run dynamics of energy-based models","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Hill"},{"key":"ref71","first-page":"23818","article-title":"DISCO: Adversarial defense with local implicit functions","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Ho"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/HOST49136.2021.9702292"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00613"},{"key":"ref74","first-page":"18992","article-title":"IBD-PSC: Input-level backdoor detection via parameter-oriented scaling consistency","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Hou"},{"key":"ref75","first-page":"1633","article-title":"A new defense against adversarial images: Turning a weakness into a strength","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Hu"},{"key":"ref76","article-title":"Triple wins: Boosting accuracy, robustness and efficiency together by enabling input-adaptive inference","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Hu"},{"key":"ref77","article-title":"Trigger hunting with a topological prior for Trojan detection","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Hu"},{"key":"ref78","article-title":"Distilling cognitive backdoor patterns within an image","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Huang"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2023\/96"},{"key":"ref80","first-page":"5545","article-title":"Exploring architectural ingredients of adversarially robust deep neural networks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Huang"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00429"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58583-9_20"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD51958.2021.9643556"},{"key":"ref84","first-page":"53090","article-title":"FedGame: A game-theoretic defense against backdoor attacks in federated learning","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Jia"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00624"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19772-7_33"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2024.3381180"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01304"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2022.3184255"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3201586"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2019.8683044"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01578"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-72970-6_6"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"ref95","first-page":"15669","article-title":"One-vs-the-rest loss to focus on important samples in adversarial training","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Kanai"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1016\/j.micpro.2022.104710"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i9.16989"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00038"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/PST52912.2021.9647763"},{"key":"ref100","article-title":"Backdoor defense via decoupling the training process","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Kunzhe"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00035"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52734.2025.02266"},{"key":"ref103","first-page":"2117","article-title":"Blacklight: Scalable defense for neural networks against query-based black-box attacks","volume-title":"Proc. USENIX Secur. Symp.","author":"Li"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.23919\/DATE51398.2021.9474113"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218665"},{"key":"ref106","article-title":"Data augmentation alone can improve adversarial training","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Li"},{"key":"ref107","article-title":"Learning to detect malicious clients for robust federated learning","author":"Li","year":"2020"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.615"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-73027-6_14"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423338"},{"key":"ref111","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Li"},{"key":"ref112","article-title":"Neural attention distillation: Erasing backdoor triggers from deep neural networks","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Li"},{"key":"ref113","article-title":"Less is more: Data pruning for faster adversarial training","author":"Li","year":"2023"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2024.110356"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00191"},{"key":"ref116","article-title":"Adversarial training on purification (AToP): Advancing both robustness and generalization","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Lin"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00399"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3184262"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2022.3211411"},{"key":"ref121","article-title":"Backdoor defense with non-adversarial backdoor","author":"Liu","year":"2023","journal-title":"arXiv:2307.15539v4"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01570"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01458"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00095"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.56"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102819"},{"key":"ref128","article-title":"The \u201cbeatrix","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"Ma"},{"key":"ref129","article-title":"Characterizing adversarial subspaces using local intrinsic dimensionality","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Ma"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.1706.06083"},{"key":"ref131","first-page":"6640","article-title":"Adversarial robustness against the union of multiple perturbation models","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Maini"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00070"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.23919\/EUSIPCO55093.2022.9909845"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134057"},{"key":"ref135","article-title":"On detecting adversarial perturbations","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Metzen"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3354736"},{"key":"ref137","first-page":"75286","article-title":"Towards stable backdoor purification through feature shift tuning","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Min"},{"key":"ref138","first-page":"77934","article-title":"Uncovering, explaining, and mitigating the superficial safety of backdoor defense","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Min"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.00758"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01210"},{"key":"ref141","article-title":"Divide, denoise, and defend against adversarial attacks","author":"Moosavi-Dezfooli"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01963"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2019.2940533"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00034"},{"key":"ref145","first-page":"2700","article-title":"Neural architecture search finds robust models by knowledge distillation","volume-title":"Proc. Conf. Uncertainty Artif. Intell.","author":"Nath"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1109\/WACV51458.2022.00384"},{"key":"ref147","first-page":"1415","article-title":"FLAME: Taming backdoors in federated learning","volume-title":"Proc. USENIX Secur. Symp.","author":"Nguyen"},{"key":"ref148","first-page":"16805","article-title":"Diffusion models for adversarial purification","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Nie"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52733.2024.00570"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i10.17118"},{"key":"ref151","first-page":"2725","article-title":"ASSET: Robust backdoor data detection across a multiplicity of deep learning paradigms","volume-title":"Proc. USENIX Secur. Symp.","author":"Pan"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01176"},{"key":"ref153","first-page":"17258","article-title":"Robustness and accuracy could be reconcilable by (proper) definition","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Pang"},{"key":"ref154","article-title":"Deep k-nearest neighbors: Towards confident, interpretable and robust deep learning","author":"Papernot","year":"2018"},{"key":"ref155","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52734.2025.02725"},{"key":"ref156","article-title":"Robust principles: Architectural design principles for adversarially robust CNNs","volume-title":"Proc. Brit. Mach. Vis. Conf.","author":"Peng"},{"key":"ref157","article-title":"RobArch: Designing robust architectures against adversarial attacks","author":"Peng","year":"2023"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW54120.2021.00015"},{"key":"ref159","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-73027-6_16"},{"key":"ref160","article-title":"Hessian-aware training for enhancing DNNs resilience to parameter corruptions","author":"Prato","year":"2025"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.1109\/EMBC48229.2022.9871347"},{"key":"ref162","first-page":"1685","article-title":"Towards a proactive ML approach for detecting backdoor poison samples","volume-title":"Proc. USENIX Secur. Symp.","author":"Qi"},{"key":"ref163","doi-asserted-by":"publisher","DOI":"10.3390\/electronics12040853"},{"key":"ref164","article-title":"EmInspector: Combating backdoor attacks in federated self-supervised learning through embedding inspection","author":"Qian","year":"2024"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2022.108889"},{"key":"ref166","first-page":"14004","article-title":"Defending neural backdoors via generative distribution modeling","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Qiao"},{"key":"ref167","first-page":"7650","article-title":"Random noise defense against query-based black-box attacks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Qin"},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3352837"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1109\/IOLTS65288.2025.11116827"},{"key":"ref170","article-title":"RA-BNN: Constructing robust & accurate binary neural network to simultaneously defend adversarial bit-flip attack and improve accuracy","author":"Rakin","year":"2021"},{"key":"ref171","first-page":"8093","article-title":"Overfitting in adversarially robust deep learning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Rice"},{"key":"ref172","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2022.108588"},{"key":"ref173","doi-asserted-by":"publisher","DOI":"10.1016\/0377-0427(87)90125-7"},{"key":"ref174","article-title":"Seal your backdoor with variational defense","author":"Saboli\u0107","year":"2025"},{"key":"ref175","article-title":"Backdoor defense through self-supervised and generative learning","volume-title":"Proc. Brit. Mach. Vis. Conf.","author":"Saboli\u0107"},{"key":"ref176","first-page":"21945","article-title":"Denoised smoothing: A provable defense for pretrained classifiers","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Salman"},{"key":"ref177","article-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Samangouei"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-020-04969-6"},{"key":"ref179","first-page":"3353","article-title":"Adversarial training for free","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Shafahi"},{"key":"ref180","article-title":"On the adversarial robustness of vision transformers","volume-title":"Trans. on Mach. Learn. Res.","author":"Shao"},{"key":"ref181","first-page":"9525","article-title":"Backdoor scanning for deep neural networks through k-arm optimization","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Shen"},{"key":"ref182","article-title":"Online adversarial purification based on self-supervised learning","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Shi"},{"key":"ref183","first-page":"57336","article-title":"Black-box backdoor defense via zero-shot image purification","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Shi"},{"key":"ref184","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-024-02103-w"},{"key":"ref185","article-title":"Defense against adversarial attacks with saak transform","author":"Song","year":"2018"},{"key":"ref186","article-title":"PixelDefend: Leveraging generative models to understand and defend against adversarial examples","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Song"},{"key":"ref187","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2022.3181972"},{"key":"ref188","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00784"},{"key":"ref189","article-title":"Can you really backdoor federated learning","author":"Sun","year":"2019"},{"key":"ref190","first-page":"1541","article-title":"Demon in the variant: Statistical analysis of DNNs for robust backdoor contamination detection","volume-title":"Proc. USENIX Secur. Symp.","author":"Tang"},{"key":"ref191","article-title":"Setting the trap: Capturing and defeating backdoors in pretrained language models through honeypots","author":"Tang","year":"2023"},{"key":"ref192","article-title":"RobustART: Benchmarking robustness on architecture design and training techniques","author":"Tang","year":"2021"},{"key":"ref193","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01301"},{"key":"ref194","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i11.17187"},{"key":"ref195","first-page":"5858","article-title":"Adversarial training and robustness for multiple perturbations","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Tram\u00e8r"},{"key":"ref196","article-title":"Ensemble adversarial training: Attacks and defenses","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Tram\u00e8r"},{"key":"ref197","first-page":"8011","article-title":"Spectral signatures in backdoor attacks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Tran"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref199","article-title":"Fighting gradients with gradients: Dynamic defenses against adversarial attacks","author":"Wang","year":"2021"},{"key":"ref200","first-page":"16070","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wang"},{"key":"ref201","article-title":"Self-ensemble adversarial training for improved robustness","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Wang"},{"key":"ref202","first-page":"2329","article-title":"Aegis: Mitigating targeted bit-flip attacks against deep neural networks","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Wang"},{"key":"ref203","first-page":"23258","article-title":"Probabilistic margins for instance reweighting in adversarial training","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wang"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_14"},{"key":"ref205","first-page":"6586","article-title":"On the convergence and robustness of adversarial training","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Wang"},{"key":"ref206","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00928"},{"key":"ref207","article-title":"Improving adversarial robustness requires revisiting misclassified examples","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Wang"},{"key":"ref208","article-title":"UNICORN: A unified backdoor trigger inversion framework","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Wang"},{"key":"ref209","first-page":"25876","article-title":"Shared adversarial unlearning: Backdoor mitigation by unlearning shared adversarial examples","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wei"},{"key":"ref210","article-title":"Physically adversarial attacks and defenses in computer vision: A survey","author":"Wei","year":"2022"},{"key":"ref211","first-page":"11973","article-title":"On the trade-off between adversarial and backdoor robustness","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Weng"},{"key":"ref212","article-title":"Fast is better than free: Revisiting adversarial training","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Wong"},{"key":"ref213","first-page":"7054","article-title":"Do wider neural networks really help adversarial robustness","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wu"},{"key":"ref214","article-title":"Attacking adversarial attacks as a defense","author":"Wu","year":"2021"},{"key":"ref215","article-title":"Attacks in adversarial machine learning: A systematic survey from the lifecycle perspective","author":"Wu","year":"2025","journal-title":"Int. J. Comput. Vis."},{"key":"ref216","first-page":"16913","article-title":"Adversarial neuron pruning purifies backdoored deep models","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wu"},{"key":"ref217","article-title":"Skip connections matter: On the transferability of adversarial examples generated with ResNets","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Wu"},{"key":"ref218","first-page":"2958","article-title":"Adversarial weight perturbation helps robust generalization","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Wu"},{"key":"ref219","article-title":"Efficient adversarial training in llms with continuous attacks","author":"Xhonneux","year":"2024"},{"key":"ref220","first-page":"7867","article-title":"A unified detection framework for inference-stage backdoor defenses","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Xian"},{"key":"ref221","article-title":"Post-training detection of backdoor attacks for two-class and multi-attack scenarios","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xiang"},{"key":"ref222","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP39728.2021.9414562"},{"key":"ref223","doi-asserted-by":"publisher","DOI":"10.1007\/s44267-023-00031-w"},{"key":"ref224","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.00787"},{"key":"ref225","article-title":"DBA: Distributed backdoor attacks against federated learning","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xie"},{"key":"ref226","article-title":"Smooth adversarial training","author":"Xie","year":"2020"},{"key":"ref227","article-title":"Intriguing properties of adversarial training at scale","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xie"},{"key":"ref228","article-title":"BaDExpert: Extracting backdoor functionality for accurate backdoor input detection","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Xie"},{"key":"ref229","first-page":"954","article-title":"Why do artificially generated data help adversarial robustness","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Xing"},{"key":"ref230","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3183095"},{"key":"ref231","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"ref232","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00034"},{"key":"ref233","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3472117"},{"key":"ref234","first-page":"39331","article-title":"Improving adversarial robustness by putting more regularizations on less robust samples","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Yang"},{"key":"ref235","first-page":"5505","article-title":"DVERGE: Diversifying vulnerabilities for enhanced robust generation of ensembles","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Yang"},{"key":"ref236","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.6140"},{"key":"ref237","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP49357.2023.10097220"},{"key":"ref238","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2024.3400867"},{"key":"ref239","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2021.3103528"},{"key":"ref240","first-page":"12062","article-title":"Adversarial purification with score-based generative models","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Yoon"},{"key":"ref241","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2022\/512"},{"key":"ref242","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.240798"},{"key":"ref243","article-title":"Activation gradient based poisoned sample detection against backdoor attacks","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Yuan"},{"key":"ref244","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN55064.2022.9892654"},{"key":"ref245","article-title":"Adversarial unlearning of backdoors via implicit hypergradient","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Zeng"},{"key":"ref246","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01616"},{"key":"ref247","first-page":"227","article-title":"You only propagate once: Accelerating adversarial training via maximal principle","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zhang"},{"key":"ref248","first-page":"7472","article-title":"Theoretically principled trade-off between robustness and accuracy","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Zhang"},{"key":"ref249","first-page":"11278","article-title":"Attacks which do not kill training make adversarial learning stronger","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Zhang"},{"key":"ref250","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3384846"},{"key":"ref251","article-title":"Reliable poisoned sample detection against backdoor attacks enhanced by sharpness aware minimization","author":"Zhang","year":"2024"},{"key":"ref252","doi-asserted-by":"publisher","DOI":"10.1145\/3503161.3548065"},{"key":"ref253","first-page":"62006","article-title":"Fed-FA: Theoretically modeling client data divergence for federated language backdoor defense","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zhang"},{"key":"ref254","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52729.2023.01177"},{"key":"ref255","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.33015869"},{"key":"ref256","article-title":"Bridging mode connectivity in loss landscapes and adversarial robustness","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Zhao"},{"key":"ref257","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-20065-6_11"},{"key":"ref258","first-page":"18667","article-title":"Pre-activation distributions expose backdoor neurons","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zheng"},{"key":"ref259","first-page":"17258","article-title":"Topological detection of trojaned neural networks","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zheng"},{"key":"ref260","first-page":"18330","article-title":"BERT loses patience: Fast and robust inference with early exit","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zhou"},{"key":"ref261","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00408"},{"key":"ref262","first-page":"114928","article-title":"Breaking the false sense of security in backdoor defense through re-activation attack","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zhu"},{"key":"ref263","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV51070.2023.00412"},{"key":"ref264","first-page":"1132","article-title":"Neural polarizer: A lightweight and effective backdoor defense via purifying poisoned features","volume-title":"Proc. Int. Conf. Neural Inf. Process. Syst.","author":"Zhu"},{"key":"ref265","article-title":"Class-conditional neural polarizer: A lightweight and effective backdoor defense by purifying poisoned features","author":"Zhu","year":"2025"},{"key":"ref266","doi-asserted-by":"publisher","DOI":"10.1002\/9781394217519.ch17"}],"container-title":["IEEE Transactions on Pattern Analysis and Machine Intelligence"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/34\/11275622\/11169420.pdf?arnumber=11169420","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T21:01:34Z","timestamp":1764882094000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11169420\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":266,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tpami.2025.3611340","relation":{},"ISSN":["0162-8828","2160-9292","1939-3539"],"issn-type":[{"value":"0162-8828","type":"print"},{"value":"2160-9292","type":"electronic"},{"value":"1939-3539","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}