{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T08:05:55Z","timestamp":1761897955954,"version":"3.37.3"},"reference-count":76,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2024,3,1]],"date-time":"2024-03-01T00:00:00Z","timestamp":1709251200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2024,3,1]],"date-time":"2024-03-01T00:00:00Z","timestamp":1709251200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2024,3,1]],"date-time":"2024-03-01T00:00:00Z","timestamp":1709251200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"NSFC","doi-asserted-by":"publisher","award":["61972008","72031001","72071125","62161146003"],"award-info":[{"award-number":["61972008","72031001","72071125","62161146003"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Tencent Foundation\/XPLORER PRIZE"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2024,3]]},"DOI":"10.1109\/tse.2023.3348515","type":"journal-article","created":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T19:38:59Z","timestamp":1704137939000},"page":"376-390","source":"Crossref","is-referenced-by-count":2,"title":["Safety and Performance, Why Not Both? Bi-Objective Optimized Model Compression Against Heterogeneous Attacks Toward AI Software Deployment"],"prefix":"10.1109","volume":"50","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3490-4131","authenticated-orcid":false,"given":"Jie","family":"Zhu","sequence":"first","affiliation":[{"name":"Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7627-8485","authenticated-orcid":false,"given":"Leye","family":"Wang","sequence":"additional","affiliation":[{"name":"Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1331-0860","authenticated-orcid":false,"given":"Xiao","family":"Han","sequence":"additional","affiliation":[{"name":"Shanghai University of Finance and Economics, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1138-3660","authenticated-orcid":false,"given":"Anmin","family":"Liu","sequence":"additional","affiliation":[{"name":"Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6731-216X","authenticated-orcid":false,"given":"Tao","family":"Xie","sequence":"additional","affiliation":[{"name":"Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing, China"}]}],"member":"263","reference":[{"key":"ref1","first-page":"1106","article-title":"ImageNet classification with deep convolutional neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Krizhevsky","year":"2012"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510191"},{"key":"ref3","first-page":"8583","article-title":"Scaling vision with sparse mixture of experts","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Riquelme","year":"2021"},{"key":"ref4","first-page":"1877","article-title":"Language models are few-shot learners","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Brown","year":"2020"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/301618.301676"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/1180475.1180478"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.372"},{"key":"ref8","first-page":"1135","article-title":"Learning both weights and connections for efficient neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Han","year":"2015"},{"article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","year":"2018","author":"Devlin","key":"ref9"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/W18-5446"},{"key":"ref11","first-page":"267","article-title":"The secret sharer: Evaluating and testing unintended memorization in neural networks","volume-title":"Proc. 28th USENIX Secur. Symp. (USENIX Security)","author":"Carlini","year":"2019"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.2976475"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/JSEN.2020.2987768"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i11.17150"},{"key":"ref17","first-page":"4561","article-title":"Membership inference attacks and defenses in neural network pruning","volume-title":"Proc. 31st USENIX Secur. Symp. (USENIX Security)","author":"Yuan","year":"2022"},{"volume-title":"Test-Driven Development: By Example (Addison-Wesley Signature Series)","year":"2003","author":"Beck","key":"ref18"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1038\/s41467-018-04316-3"},{"key":"ref20","first-page":"5558","article-title":"White-box vs Black-box: Bayes optimal strategies for membership inference","volume-title":"Proc. Int. Conf. Mach. Learn. (ICML)","author":"Sablayrolles","year":"2019"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00027"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/3523273"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243855"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3556906"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1038\/s41592-019-0686-2"},{"article-title":"Network computations in artificial intelligence","year":"2017","author":"Mocanu","key":"ref27"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449855"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3422622"},{"article-title":"Towards deep learning models resistant to adversarial attacks","year":"2017","author":"Madry","key":"ref30"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.244"},{"article-title":"Adversarial training methods for semi-supervised text classification","year":"2016","author":"Miyato","key":"ref32"},{"key":"ref33","first-page":"3358","article-title":"Adversarial training for free!\u201d","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Shafahi","year":"2019"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2019.2934096"},{"key":"ref35","first-page":"6989","article-title":"Do we actually need dense over-parameterization? In-time over-parameterization in sparse training","volume-title":"Proc. 38th Int. Conf. Mach. Learn. (ICML)","author":"Liu","year":"2021"},{"article-title":"Deep compression: Compressing deep neural networks with pruning, trained quantization and huffman coding","year":"2015","author":"Han","key":"ref36"},{"key":"ref37","first-page":"2943","article-title":"Rigging the lottery: Making all tickets winners","volume-title":"Proc. Int. Conf. Mach. Learn. (ICML)","author":"Evci","year":"2020"},{"article-title":"ML-doctor: Holistic risk assessment of inference attacks against machine learning models","year":"2021","author":"Liu","key":"ref38"},{"key":"ref39","first-page":"1","article-title":"E-CRF: Embedded conditional random field for boundary-caused class weights confusion in semantic segmentation","volume-title":"Proc. 11th Int. Conf. Learn. Representations (ICLR)","author":"Zhu","year":"2022"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00029"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484749"},{"article-title":"Learning multiple layers of features from tiny images","year":"2009","author":"Krizhevsky","key":"ref42"},{"key":"ref43","first-page":"1","article-title":"Very deep convolutional networks for large-scale image recognition","volume-title":"Proc. 3rd Int. Conf. Learn. Representations (ICLR)","author":"Simonyan","year":"2015"},{"key":"ref44","first-page":"3","article-title":"Tiny ImageNet visual recognition challenge","author":"Le","year":"2015"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref46","first-page":"97","article-title":"Ranking a stream of news","volume-title":"Proc. 14th Int. Conf. World Wide Web (WWW)","author":"Corso","year":"2005"},{"article-title":"RoBERTa: A robustly optimized BERT pretraining approach","year":"2019","author":"Liu","key":"ref47"},{"key":"ref48","first-page":"649","article-title":"Character-level convolutional networks for text classification","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Zhang","year":"2015"},{"article-title":"BERT: Pre-training of deep bidirectional transformers for language understanding","year":"2018","author":"Devlin","key":"ref49"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2021\/432"},{"article-title":"Distilling the knowledge in a neural network","year":"2015","author":"Hinton","key":"ref51"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23119"},{"key":"ref54","first-page":"2615","article-title":"Systematic evaluation of privacy risks of machine learning models","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Security)","author":"Song","year":"2021"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560684"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0008"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417270"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3448891.3448939"},{"article-title":"Membership inference attacks against self-supervised speech models","year":"2021","author":"Tseng","key":"ref59"},{"key":"ref60","first-page":"1867","article-title":"M^4I: Multi-modal models membership inference","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"35","author":"Hu","year":"2022"},{"issue":"1","key":"ref61","first-page":"61","article-title":"Membership inference attack against differentially private deep learning model","volume":"11","author":"Rahman","year":"2018","journal-title":"Trans. Data Privacy"},{"key":"ref62","first-page":"1895","article-title":"Evaluating differentially private machine learning in practice","volume-title":"Proc. 28th USENIX Secur. Symp. (USENIX Security)","author":"Jayaraman","year":"2019"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i9.26289"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.04.082"},{"key":"ref66","first-page":"1433","article-title":"Mitigating membership inference attacks by self-distillation through a novel ensemble architecture","volume-title":"Proc. 31st USENIX Secur. Symp. (USENIX Security)","author":"Tang","year":"2022"},{"key":"ref67","first-page":"2893","article-title":"Moonshine: Distilling with cheap convolutions","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Crowley","year":"2018"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2010.11929"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00286"},{"key":"ref70","first-page":"4114","article-title":"Binarized neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Hubara","year":"2016"},{"article-title":"Sparse networks from scratch: Faster training without losing performance","year":"2019","author":"Dettmers","key":"ref71"},{"key":"ref72","first-page":"4646","article-title":"Parameter efficient training of deep convolutional neural networks by dynamic sparse reparameterization","volume-title":"Proc. 36th Int. Conf. Mach. Learn. (ICML)","author":"Mostafa","year":"2019"},{"key":"ref73","first-page":"20 744","article-title":"Top-KAST: Top-K always sparse training","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Jayakumar","year":"2020"},{"key":"ref74","first-page":"15\u2009625","article-title":"Sparse weight activation training","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Raihan","year":"2020"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-020-05136-7"},{"key":"ref76","first-page":"22 941","article-title":"On-device training under 256KB memory","volume-title":"Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)","author":"Lin","year":"2022"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/32\/10473597\/10378737.pdf?arnumber=10378737","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,5]],"date-time":"2024-09-05T18:16:10Z","timestamp":1725560170000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10378737\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,3]]},"references-count":76,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/tse.2023.3348515","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"type":"print","value":"0098-5589"},{"type":"electronic","value":"1939-3520"},{"type":"electronic","value":"2326-3881"}],"subject":[],"published":{"date-parts":[[2024,3]]}}}